fix(roles/openvpn_server): use etc_t for file labels on RHEL 10

The SELinux type `openvpn_etc_t` was removed from the RHEL 10 core
policy; only `openvpn_port_t` and the packet types remain. Setting
`setype: openvpn_etc_t` on `server.p12` / `crl.pem` therefore failed
with `invalid selinux context: [Errno 22] Invalid argument`.

Introduce an OS-specific internal variable
`__openvpn_server__selinux_etc_type` (default `openvpn_etc_t`,
overridden to `etc_t` on RHEL 10) and parameterize both `setype:`
assignments. On RHEL 10, `etc_t` is the appropriate default label
since openvpn runs unconfined (no `openvpn_t` domain) there.

Also mark `openvpn_server` as RHEL 10 compatible in COMPATIBILITY.md.

Author: danyalberchtoldlf

CHANGELOG.md

@@ -25,6 +25,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+* **role:openvpn_server**: Fix `invalid selinux context: [Errno 22] Invalid argument` on RHEL 10 when deploying `server.p12` / `crl.pem`. The SELinux type `openvpn_etc_t` no longer exists in the RHEL 10 core policy (only `openvpn_port_t` and the packet types remain). The role now uses `etc_t` on RHEL 10 via a new OS-specific internal variable `__openvpn_server__selinux_etc_type`; other platforms keep `openvpn_etc_t`
 * **role:repo_epel**: Fix malformed RHEL 10 `epel.repo`: a missing newline in the `[epel-source]` section rendered `enabled=0username=<login>` when `repo_epel__basic_auth_login` was set, causing dnf to reject the file with `Invalid configuration value: enabled=0username=...`
 * **role:infomaniak_vm**: Apply the VM's security group on the `ext-net1` port instead of (only) on the server. When a VM boots against a pre-created port, Neutron enforces the port's security groups, not those passed to the server, so without this the configured rules were silently ignored on the public interface
 * **role:logstash**: Default value of `logstash__java_opts` now caps JVM heap size at 8g.

COMPATIBILITY.md

@@ -122,7 +122,7 @@ nodejs                               |    |    | x | x |    |       |       |
 objectstore_backup                   |    |    | x |   |    |       |       |
 opensearch                           |    |    | x |   |    |       |       |
 open_vm_tools                        |    |    | x | x |    |       |       |
-openvpn_server                       |    |    | x | x |    |       |       |
+openvpn_server                       |    |    | x | x | x  |       |       |
 php                                  | x  | x  | x | x |    |       |       |
 podman_containers                    |    |    |   | x |    |       |       |
 policycoreutils                      |    |    | x | x | x  |       |       | Fedora 35

roles/openvpn_server/tasks/main.yml

@@ -1,3 +1,11 @@
+- name: 'Set platform/version specific variables'
+  ansible.builtin.import_role:
+    name: 'shared'
+    tasks_from: 'platform-variables.yml'
+  tags:
+    - 'always'
+
+
 - block:
 
   - name: 'Install openvpn'
@@ -60,7 +68,7 @@
       group: 'root'
       seuser: 'system_u'
       serole: 'object_r'
-      setype: 'openvpn_etc_t'
+      setype: '{{ __openvpn_server__selinux_etc_type }}'
     when:
       - 'not openvpn_server__pkcs12_skip_deploy'
 
@@ -93,7 +101,7 @@
       group: 'openvpn'
       seuser: 'system_u'
       serole: 'object_r'
-      setype: 'openvpn_etc_t'
+      setype: '{{ __openvpn_server__selinux_etc_type }}'
     when:
       - 'not openvpn_server__crl_verify_skip_deploy'
 

roles/openvpn_server/vars/RedHat10.yml

@@ -0,0 +1 @@
+__openvpn_server__selinux_etc_type: 'etc_t'

roles/openvpn_server/vars/main.yml

@@ -0,0 +1 @@
+__openvpn_server__selinux_etc_type: 'openvpn_etc_t'