fix(roles/icinga2_master): pre-install nagios-selinux on RHEL 10 for icinga2-selinux %post

The `icinga2-selinux` policy module references `nagios_*_plugin_t` types
that were moved out of the EL10 base policy into the separate
`nagios-selinux` package (EPEL). Without it, `icinga2-selinux`'s `%post`
fails silently in `semodule -i`, the `icinga2` module never loads, and
later `setsebool -P icinga2_can_connect_all on` errors out with
`SELinux boolean ... is not defined in persistent policy`.

Install `nagios-selinux` from a separate, pre-installation task on
RHEL 10 so its `%post` registers the required types before the main
package list (which contains `icinga2-selinux`) is processed. A single
`dnf install` transaction covering both packages is not enough because
the `%post` order between siblings without an explicit `Requires` is
not deterministic.

Author: danyalberchtoldlf

CHANGELOG.md

@@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 * **playbooks/freeipa_client, playbooks/freeipa_server**: Set `strategy: 'linear'` explicitly so the playbooks work even when the user's `ansible.cfg` defaults to a strategy that reuses the target Python interpreter (e.g. `mitogen_linear`). The ansible-freeipa modules rely on `ipalib`'s global API singleton and otherwise fail with `API.bootstrap() already called` on the second module call.
+* **role:icinga2_master**: Fix `selinux` role failing on RHEL 10 with `SELinux boolean icinga2_can_connect_all is not defined in persistent policy` (and `[Errno 11]` for the other Icinga/Nagios booleans). The `icinga2-selinux` policy module references `nagios_*_plugin_t` types that were moved out of the EL10 base policy into the separate `nagios-selinux` package (EPEL), so without it the `icinga2-selinux` `%post` silently fails and the booleans never appear. The role now installs `nagios-selinux` as a separate pre-install task on RHEL 10 so its `%post` registers the required types before `icinga2-selinux`'s `%post` runs.
 * **role:infomaniak_vm**: Stop passing `security_groups` to `openstack.cloud.server`. Since the security group is already applied on the `ext-net1` port, setting it on the server made Neutron attempt the same on internal-network ports where `port_security_enabled` is `false`, failing with `Network requires port_security_enabled and subnet associated in order to apply security groups.`
 * **role:openvpn_server**: Fix `invalid selinux context: [Errno 22] Invalid argument` on RHEL 10 when deploying `server.p12` / `crl.pem`. The SELinux type `openvpn_etc_t` no longer exists in the RHEL 10 core policy (only `openvpn_port_t` and the packet types remain). The role now uses `etc_t` on RHEL 10 via a new OS-specific internal variable `__openvpn_server__selinux_etc_type`; other platforms keep `openvpn_etc_t`
 * **role:repo_epel**: Fix malformed RHEL 10 `epel.repo`: a missing newline in the `[epel-source]` section rendered `enabled=0username=<login>` when `repo_epel__basic_auth_login` was set, causing dnf to reject the file with `Invalid configuration value: enabled=0username=...`

roles/icinga2_master/tasks/main.yml

@@ -8,6 +8,13 @@
 
 - block:
 
+  - name: 'install OS-specific prerequisite packages # ensures correct %post ordering before the main package list is installed'
+    ansible.builtin.package:
+      name: '{{ __icinga2_master__pre_install_packages | d([]) }}'
+      state: 'present'
+    when:
+      - '__icinga2_master__pre_install_packages | d([]) | length > 0'
+
   - name: 'install icinga2 and dependent packages'
     ansible.builtin.package:
       name: '{{ icinga2_master__required_packages }}'

roles/icinga2_master/vars/RedHat10.yml

@@ -0,0 +1,3 @@
+# `nagios-selinux` provides the `nagios_*_plugin_t` types referenced by `icinga2-selinux`'s policy module — they were moved out of the EL10 base policy into the separate package. Installed as a pre-install package so its `%post` runs before `icinga2-selinux`'s.
+__icinga2_master__pre_install_packages:
+  - 'nagios-selinux'