From 117280558506cecefe59fd6da56e73abe11cffa6 Mon Sep 17 00:00:00 2001
From: Derek Nola <derek.nola@suse.com>
Date: Fri, 23 Jan 2026 09:59:21 -0800
Subject: [PATCH] Install airgap selinux rpms when avaliable (#500)

Signed-off-by: Derek Nola <derek.nola@suse.com>
---
 README.md                   | 2 +-
 roles/airgap/tasks/main.yml | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 9da4f43..b43bd22 100644
--- a/README.md
+++ b/README.md
@@ -177,7 +177,7 @@ $ cat inventory.yml
 airgap_dir: ./my-airgap # Paths are relative to the playbooks directory
 ```
 
-Additionally, if deploying on an OS with SELinux, you will also need to download the latest [k3s-selinux RPM](https://github.com/k3s-io/k3s-selinux/releases/latest) and place it in the airgap folder.
+Additionally, if deploying on an OS with SELinux, you will also need to download the latest [k3s-selinux RPM](https://github.com/k3s-io/k3s-selinux/releases/latest) and its dependencies `selinux-policy` and `container-selinux` RPMs and place them in the airgap folder.
 
 
 It is assumed that the control node has access to the internet. The playbook will automatically download the k3s install script on the control node, and then distribute all three artifacts to the managed nodes. 
diff --git a/roles/airgap/tasks/main.yml b/roles/airgap/tasks/main.yml
index 3ed19de..b8ab8cc 100644
--- a/roles/airgap/tasks/main.yml
+++ b/roles/airgap/tasks/main.yml
@@ -57,7 +57,9 @@
               # so we need to skip it if the file is not found
               skip: true
 
+        # Dependencies are listed first so they get installed first in the next task
         - name: Distribute K3s SELinux RPM
+          when: ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Suse'
           ansible.builtin.copy:
             src: "{{ item }}"
             dest: /tmp/
@@ -65,16 +67,18 @@
             group: root
             mode: "0755"
           with_fileglob:
+            - "{{ airgap_dir }}/container-selinux*.rpm"
+            - "{{ airgap_dir }}/selinux-policy*.rpm"
             - "{{ airgap_dir }}/k3s-selinux*.rpm"
           register: airgap_selinux_copy
           ignore_errors: true
 
         - name: Install K3s SELinux RPM
           when:
-            - ansible_facts['os_family'] == 'RedHat'
+            - ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Suse'
             - airgap_selinux_copy.skipped is false
           ansible.builtin.dnf:
-            name: "{{ airgap_selinux_copy.results[0].dest }}"
+            name: "{{ airgap_selinux_copy.results | selectattr('dest', 'defined') | map(attribute='dest') | list }}"
             state: present
             disable_gpg_check: true
             disablerepo: "*"