seboolean: make it work with disabled SELinux

Sometimes it's necessary to configure SELinux before it's enabled on the
system. There's `ignore_selinux_state` which should allow it. Before
this change `seboolean` module failed on SELinux disabled system even
with `ignore_selinux_state: true` and SELinux policy installed while
`semanage boolean` worked as expected:

    $ ansible -i 192.168.121.153, -m seboolean -a "name=ssh_sysadm_login state=on ignore_selinux_state=true" all
    192.168.121.153 | FAILED! => {
        "ansible_facts": {
            "discovered_interpreter_python": "/usr/bin/python3"
        },
        "changed": false,
        "msg": "Failed to get list of boolean names"
    }

    $ ssh root@192.168.121.153 semanage boolean -l | grep ssh_sysadm_login
    ssh_sysadm_login               (off  ,  off)  Allow ssh to sysadm login

It's caused by `selinux.security_get_boolean_names()` and
`selinux.security_get_boolean_active(name)` which required SELinux
enabled system.

This change adds a fallback to semanage API which works in SELinux
disabled system when SELinux targeted policy is installed:

    ANSIBLE_LIBRARY=plugins/modules ansible -i 192.168.121.153, -m seboolean -a "name=ssh_sysadm_login state=on persistent=true ignore_selinux_state=true" all
    192.168.121.153 | CHANGED => {
        "ansible_facts": {
            "discovered_interpreter_python": "/usr/bin/python3"
        },
        "changed": true,
        "name": "ssh_sysadm_login",
        "persistent": true,
        "state": true
    }

    $ ssh root@192.168.121.153 semanage boolean -l | grep ssh_sysadm_login
    ssh_sysadm_login               (on   ,   on)  Allow ssh to sysadm login

Note that without `persistent=true` this module is effectively NO-OP now.

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>

.azure-pipelines/azure-pipelines.yml

@@ -209,10 +209,8 @@ stages:
               test: rhel/8.7
             - name: RHEL 9.1
               test: rhel/9.1
-            - name: FreeBSD 13.1
-              test: freebsd/13.1
-            - name: FreeBSD 12.4
-              test: freebsd/12.4
+            - name: FreeBSD 13.2
+              test: freebsd/13.2
   - stage: Remote_2_14
     displayName: Remote 2.14
     dependsOn: []
@@ -225,10 +223,8 @@ stages:
               test: rhel/7.9
             - name: RHEL 8.6
               test: rhel/8.6
-            - name: FreeBSD 13.1
-              test: freebsd/13.1
-            - name: FreeBSD 12.4
-              test: freebsd/12.4
+            - name: FreeBSD 13.2
+              test: freebsd/13.2
 
   ## Finally
 

changelogs/fragments/421-remove-deprecation-warning.yml

@@ -0,0 +1,2 @@
+trivial:
+  - synchronize - instantiate the connection plugin without the ``new_stdin`` argument, which is deprecated in ansible-core 2.15 (https://github.com/ansible-collections/ansible.posix/pull/421).

changelogs/fragments/504-firewalld_info-warning.yaml

@@ -0,0 +1,2 @@
+minor_changes:
+  - firewalld_info - Only warn about ignored zones, when there are zones ignored.

plugins/action/synchronize.py

@@ -284,9 +284,6 @@ class ActionModule(ActionBase):
         # told (via delegate_to) that a different host is the source of the
         # rsync
         if not use_delegate and remote_transport:
-            # Create a connection to localhost to run rsync on
-            new_stdin = self._connection._new_stdin
-
             # Unlike port, there can be only one shell
             localhost_shell = None
             for host in C.LOCALHOST:
@@ -315,7 +312,11 @@ class ActionModule(ActionBase):
                 localhost_executable = C.DEFAULT_EXECUTABLE
             self._play_context.executable = localhost_executable
 
-            new_connection = connection_loader.get('local', self._play_context, new_stdin)
+            try:
+                new_connection = connection_loader.get('local', self._play_context)
+            except TypeError:
+                # Needed for ansible-core < 2.15
+                new_connection = connection_loader.get('local', self._play_context, self._connection._new_stdin)
             self._connection = new_connection
             # Override _remote_is_local as an instance attribute specifically for the synchronize use case
             # ensuring we set local tmpdir correctly

plugins/modules/firewalld_info.py

@@ -356,6 +356,7 @@ def main():
             specified_zones = module.params['zones']
             collect_zones = list(set(specified_zones) & set(all_zones))
             ignore_zones = list(set(specified_zones) - set(collect_zones))
+            if ignore_zones:
                 warn.append(
                     'Please note: zone:(%s) have been ignored in the gathering process.' % ','.join(ignore_zones))
         else:

plugins/modules/mount.py

@@ -831,7 +831,7 @@ def main():
         # handle mount on boot.  To avoid mount option conflicts, if 'noauto'
         # specified in 'opts',  mount module will ignore 'boot'.
         opts = args['opts'].split(',')
-        if 'noauto' in opts:
+        if module.params['boot'] and 'noauto' in opts:
             args['warnings'].append("Ignore the 'boot' due to 'opts' contains 'noauto'.")
         elif not module.params['boot']:
             args['boot'] = 'no'

tests/utils/shippable/shippable.sh

@@ -62,16 +62,7 @@ else
     retry pip install "https://github.com/ansible/ansible/archive/stable-${ansible_version}.tar.gz" --disable-pip-version-check
 fi
 
-if [ "${SHIPPABLE_BUILD_ID:-}" ]; then
-    export ANSIBLE_COLLECTIONS_PATHS="${HOME}/.ansible"
-    SHIPPABLE_RESULT_DIR="$(pwd)/shippable"
-    TEST_DIR="${ANSIBLE_COLLECTIONS_PATHS}/ansible_collections/ansible/posix"
-    mkdir -p "${TEST_DIR}"
-    cp -aT "${SHIPPABLE_BUILD_DIR}" "${TEST_DIR}"
-    cd "${TEST_DIR}"
-else
-    export ANSIBLE_COLLECTIONS_PATHS="${PWD}/../../../"
-fi
+export ANSIBLE_COLLECTIONS_PATHS="${PWD}/../../../"
 
 # START: HACK install dependencies
 if [ "${ansible_version}" == "2.9" ] || [ "${ansible_version}" == "2.10" ]; then