The fcontext_get_policy function in salt/modules/selinux.py contains a recipe for incompatibilities:

• Use Python re module to escape the regexp -> every dash is escaped
• Pass the regexp to grep -> only dash in classes can be escaped, for example [a-z\-] to accept letters and dashes while [a-z-] works fine too

Demonstration:

$ echo foo-bar | grep -E 'o\-b'
grep: warning: stray \ before -
foo-bar

$ echo foo-bar | grep -E '[a-z\-]'
foo-bar

$ echo foo-bar | grep -E '[a-z-]'
foo-bar

$ semanage fcontext -l | grep -E '^/var/letsencrypt\-auto[ ]+all files[ ]+[^:]+:[^:]+:httpd_sys_content_t:[^:]+[ |        ]*$'
grep: warning: stray \ before -
/var/letsencrypt-auto                              all files          system_u:object_r:httpd_sys_content_t:s0

$ semanage fcontext -l | grep -E '^/var/letsencrypt-auto[ ]+all files[ ]+[^:]+:[^:]+:httpd_sys_content_t:[^:]+[ |        ]*$'
/var/letsencrypt-auto                              all files          system_u:object_r:httpd_sys_content_t:s0

Plan

The code would be cleaner if the Python re module would actually be used AND for escaping AND for executing the regexp, ie gets the whole semanage fcontext -l output, divide by line and check lines against regexp.

Beware modules/selinux.sls is planned to be moved to a community maintained module as part of the Salt grand module transition.