sefcontext: flush in-process matchpathcon cache (#11812)

* fix sefcontext: flush in-process matchpathcon cache after changes Fixes https://github.com/ansible-collections/community.general/issues/888 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * update changelog fragment with PR number and URL Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-21 00:01:08 +00:00 · 2026-04-17 18:41:16 +12:00
parent 175808d997
commit e2a7dc467d
2 changed files with 14 additions and 0 deletions
--- a/changelogs/fragments/11812-sefcontext-matchpathcon-cache-flush.yml
+++ b/changelogs/fragments/11812-sefcontext-matchpathcon-cache-flush.yml
@@ -0,0 +1,6 @@
+bugfixes:
+  - sefcontext - flush the in-process ``matchpathcon`` cache after applying changes, so
+    subsequent tasks running in the same process (for example via the Mitogen connection
+    plugin) see the updated SELinux file context rules instead of stale cached data
+    (https://github.com/ansible-collections/community.general/issues/888,
+    https://github.com/ansible-collections/community.general/pull/11812).
--- a/plugins/modules/sefcontext.py
+++ b/plugins/modules/sefcontext.py
@@ -280,6 +280,10 @@ def semanage_fcontext_modify(module, result, target, ftype, setype, substitute,
    if module._diff and prepared_diff:
        result["diff"] = dict(prepared=prepared_diff)

+    if changed and not module.check_mode:
+        # Flush the in-process matchpathcon cache
+        selinux.matchpathcon_fini()
+
    module.exit_json(changed=changed, seuser=seuser, serange=serange, **result)


@@ -327,6 +331,10 @@ def semanage_fcontext_delete(module, result, target, ftype, setype, substitute,
    if module._diff and prepared_diff:
        result["diff"] = dict(prepared=prepared_diff)

+    if changed and not module.check_mode:
+        # Flush the in-process matchpathcon cache
+        selinux.matchpathcon_fini()
+
    module.exit_json(changed=changed, **result)