[PR #11812/e2a7dc46 backport][stable-12] sefcontext: flush in-process matchpathcon cache (#11854)

sefcontext: flush in-process matchpathcon cache (#11812)

* fix sefcontext: flush in-process matchpathcon cache after changes

Fixes https://github.com/ansible-collections/community.general/issues/888



* update changelog fragment with PR number and URL



---------


(cherry picked from commit e2a7dc467d)

Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

changelogs/fragments/11812-sefcontext-matchpathcon-cache-flush.yml

@@ -0,0 +1,6 @@
+bugfixes:
+  - sefcontext - flush the in-process ``matchpathcon`` cache after applying changes, so
+    subsequent tasks running in the same process (for example via the Mitogen connection
+    plugin) see the updated SELinux file context rules instead of stale cached data
+    (https://github.com/ansible-collections/community.general/issues/888,
+    https://github.com/ansible-collections/community.general/pull/11812).

plugins/modules/sefcontext.py

@@ -280,6 +280,10 @@ def semanage_fcontext_modify(module, result, target, ftype, setype, substitute,
     if module._diff and prepared_diff:
         result["diff"] = dict(prepared=prepared_diff)
 
+    if changed and not module.check_mode:
+        # Flush the in-process matchpathcon cache
+        selinux.matchpathcon_fini()
+
     module.exit_json(changed=changed, seuser=seuser, serange=serange, **result)
 
 
@@ -327,6 +331,10 @@ def semanage_fcontext_delete(module, result, target, ftype, setype, substitute,
     if module._diff and prepared_diff:
         result["diff"] = dict(prepared=prepared_diff)
 
+    if changed and not module.check_mode:
+        # Flush the in-process matchpathcon cache
+        selinux.matchpathcon_fini()
+
     module.exit_json(changed=changed, **result)