---
- name: Fix SELinux
  when: is_rhel | bool
  block:
    - name: Fix SELinux by pre-labeling the filesystem before first boot
      when: os | lower in ['almalinux', 'rhel8', 'rhel9', 'rhel10', 'rocky'] and (selinux | bool)
      ansible.builtin.command: >
        arch-chroot /mnt /sbin/setfiles -v -F
        -e /dev -e /proc -e /sys -e /run
        /etc/selinux/targeted/contexts/files/file_contexts /
      register: configuration_setfiles_result
      changed_when: configuration_setfiles_result.rc == 0

    - name: Disable SELinux
      when: os | lower == "fedora" or not (selinux | bool)
      ansible.builtin.lineinfile:
        path: /mnt/etc/selinux/config
        regexp: ^SELINUX=
        line: SELINUX=permissive