In most cases on a system with SELinux, it is preferred to use
the SELinux matchpathcon call to determine the default context that
a file should have to make sure that files Puppet modifies are
labeled with the correct SELinux security context.
In the event that you wanted to override some or all of the default
context, you can use the SELinux attributes Puppet provides to do
that. If left unspecified the defaults will apply if matchpathcon has
defaults.
This patch adds a new selinux_ignore_defaults parameter which
will cause Puppet to assume no defaults, allowing the file's
SELinux label to be left unmodified, if desired.
Signed-off-by: Sean Millichamp <s...@bruenor.org>
---
lib/puppet/type/file/selcontext.rb | 59 +++++++++++++++++++++++++++-------
spec/unit/type/file/selinux_spec.rb | 5 +++
2 files changed, 52 insertions(+), 12 deletions(-)
diff --git a/lib/puppet/type/file/selcontext.rb
b/lib/puppet/type/file/selcontext.rb
index a33c6a0..9859436 100644
--- a/lib/puppet/type/file/selcontext.rb
+++ b/lib/puppet/type/file/selcontext.rb
@@ -54,37 +54,66 @@ module Puppet
end
end
+ Puppet::Type.type(:file).newparam(:selinux_ignore_defaults) do
+ desc "If this is set then Puppet will not ask SELinux (via matchpathcon) to
+ supply defaults for the SELinux attributes (seluser, selrole,
+ seltype, and selrange). In general, you should leave this set at its
+ default and only set it to true when you need Puppet to not try to fix
+ SELinux labels automatically."
+ newvalues(:true, :false)
+
+ defaultto :false
+ end
+
Puppet::Type.type(:file).newproperty(:seluser, :parent =>
Puppet::SELFileContext) do
desc "What the SELinux user component of the context of the file should be.
Any valid SELinux user component is accepted. For example `user_u`.
If not specified it defaults to the value returned by matchpathcon for
- the file, if any exists. Only valid on systems with SELinux support
- enabled."
+ the file, if any exists, unless selinux_ignore_defaults is set to true.
+ Only valid on systems with SELinux support enabled."
@event = :file_changed
- defaultto { self.retrieve_default_context(:seluser) }
+ defaultto {
+ if @resource[:selinux_ignore_defaults] == :true
+ nil
+ else
+ self.retrieve_default_context(:seluser)
+ end
+ }
end
Puppet::Type.type(:file).newproperty(:selrole, :parent =>
Puppet::SELFileContext) do
desc "What the SELinux role component of the context of the file should be.
Any valid SELinux role component is accepted. For example `role_r`.
If not specified it defaults to the value returned by matchpathcon for
- the file, if any exists. Only valid on systems with SELinux support
- enabled."
+ the file, if any exists, unless selinux_ignore_defaults is set to true.
+ Only valid on systems with SELinux support enabled."
@event = :file_changed
- defaultto { self.retrieve_default_context(:selrole) }
+ defaultto {
+ if @resource[:selinux_ignore_defaults] == :true
+ nil
+ else
+ self.retrieve_default_context(:selrole)
+ end
+ }
end
Puppet::Type.type(:file).newproperty(:seltype, :parent =>
Puppet::SELFileContext) do
desc "What the SELinux type component of the context of the file should be.
Any valid SELinux type component is accepted. For example `tmp_t`.
If not specified it defaults to the value returned by matchpathcon for
- the file, if any exists. Only valid on systems with SELinux support
- enabled."
+ the file, if any exists, unless selinux_ignore_defaults is set to true.
+ Only valid on systems with SELinux support enabled."
@event = :file_changed
- defaultto { self.retrieve_default_context(:seltype) }
+ defaultto {
+ if @resource[:selinux_ignore_defaults] == :true
+ nil
+ else
+ self.retrieve_default_context(:seltype)
+ end
+ }
end
Puppet::Type.type(:file).newproperty(:selrange, :parent =>
Puppet::SELFileContext) do
@@ -92,11 +121,17 @@ module Puppet
Any valid SELinux range component is accepted. For example `s0` or
`SystemHigh`. If not specified it defaults to the value returned by
matchpathcon for the file, if any exists. Only valid on systems with
- SELinux support enabled and that have support for MCS (Multi-Category
- Security)."
+ the file, if any exists, unless selinux_ignore_defaults is set to true.
+ Only valid on systems with SELinux support enabled."
@event = :file_changed
- defaultto { self.retrieve_default_context(:selrange) }
+ defaultto {
+ if @resource[:selinux_ignore_defaults] == :true
+ nil
+ else
+ self.retrieve_default_context(:selrange)
+ end
+ }
end
end
diff --git a/spec/unit/type/file/selinux_spec.rb
b/spec/unit/type/file/selinux_spec.rb
index 1ca59e9..5227b13 100644
--- a/spec/unit/type/file/selinux_spec.rb
+++ b/spec/unit/type/file/selinux_spec.rb
@@ -66,6 +66,11 @@ Dir.chdir(File.dirname(__FILE__)) { (s = lambda { |f|
File.exist?(f) ? require(f
@sel.default.must == expectedresult
end
+ it "should return nil for defaults if selinux_ignore_defaults is true" do
+ @resource[:selinux_ignore_defaults] = :true
+ @sel.default.must be_nil
+ end
+
it "should be able to set a new context" do
stat = stub 'stat', :ftype => "foo"
@sel.should = %w{newone}
--
1.7.3.3
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
