diff options
| author | Jesse Wolfe <jes5199@gmail.com> | 2011-02-25 13:45:10 -0800 |
|---|---|---|
| committer | Jesse Wolfe <jes5199@gmail.com> | 2011-02-25 13:46:11 -0800 |
| commit | ac2262d071cc2c9841843354585980696c689ca3 (patch) | |
| tree | fdda1e3329fad8aaa7eae7adc6e0334128245260 /lib | |
| parent | 1172a4ee50040843e0e4b5eef73183aaf50be855 (diff) | |
| download | puppet-ac2262d071cc2c9841843354585980696c689ca3.tar.gz puppet-ac2262d071cc2c9841843354585980696c689ca3.tar.xz puppet-ac2262d071cc2c9841843354585980696c689ca3.zip | |
(#3999) Allow disabling of default SELinux context detection for files
In most cases on a system with SELinux, it is preferred to use
the SELinux matchpathcon call to determine the default context that
a file should have to make sure that files Puppet modifies are
labeled with the correct SELinux security context.
In the event that you wanted to override some or all of the default
context, you can use the SELinux attributes Puppet provides to do
that. If left unspecified the defaults will apply if matchpathcon has
defaults.
This patch adds a new selinux_ignore_defaults parameter which
will cause Puppet to assume no defaults, allowing the file's
SELinux label to be left unmodified, if desired.
Originally-by: Sean Millichamp <sean@bruenor.org>
Signed-off-by: Jesse Wolfe <jes5199@gmail.com>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/puppet/type/file/selcontext.rb | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/lib/puppet/type/file/selcontext.rb b/lib/puppet/type/file/selcontext.rb index a33c6a000..ea385eec0 100644 --- a/lib/puppet/type/file/selcontext.rb +++ b/lib/puppet/type/file/selcontext.rb @@ -32,9 +32,14 @@ module Puppet end def retrieve_default_context(property) + if @resource[:selinux_ignore_defaults] == :true + return nil + end + unless context = self.get_selinux_default_context(@resource[:path]) return nil end + property_default = self.parse_selinux_context(property, context) self.debug "Found #{property} default '#{property_default}' for #{@resource[:path]}" if not property_default.nil? property_default @@ -54,6 +59,17 @@ module Puppet end end + Puppet::Type.type(:file).newparam(:selinux_ignore_defaults) do + desc "If this is set then Puppet will not ask SELinux (via matchpathcon) to + supply defaults for the SELinux attributes (seluser, selrole, + seltype, and selrange). In general, you should leave this set at its + default and only set it to true when you need Puppet to not try to fix + SELinux labels automatically." + newvalues(:true, :false) + + defaultto :false + end + Puppet::Type.type(:file).newproperty(:seluser, :parent => Puppet::SELFileContext) do desc "What the SELinux user component of the context of the file should be. Any valid SELinux user component is accepted. For example `user_u`. |