(#3999) Allow disabling of default SELinux context detection for files

In most cases on a system with SELinux, it is preferred to use
the SELinux matchpathcon call to determine the default context that
a file should have to make sure that files Puppet modifies are
labeled with the correct SELinux security context.

In the event that you wanted to override some or all of the default
context, you can use the SELinux attributes Puppet provides to do
that. If left unspecified the defaults will apply if matchpathcon has
defaults.

This patch adds a new selinux_ignore_defaults parameter which
will cause Puppet to assume no defaults, allowing the file's
SELinux label to be left unmodified, if desired.

Originally-by: Sean Millichamp <sean@bruenor.org>
Signed-off-by: Jesse Wolfe <jes5199@gmail.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/spec/unit/type/file/selinux_spec.rb b/spec/unit/type/file/selinux_spec.rb
index 043471dec..a2444acd9 100644
--- a/spec/unit/type/file/selinux_spec.rb
+++ b/spec/unit/type/file/selinux_spec.rb
@@ -66,6 +66,11 @@ Dir.chdir(File.dirname(__FILE__)) { (s = lambda { |f| File.exist?(f) ? require(f
       @sel.default.must == expectedresult
     end
 
+    it "should return nil for defaults if selinux_ignore_defaults is true" do
+      @resource[:selinux_ignore_defaults] = :true
+      @sel.default.must be_nil
+    end
+
     it "should be able to set a new context" do
       stat = stub 'stat', :ftype => "foo"
       @sel.should = %w{newone}