[Pkg-puppet-devel] [SCM] Puppet packaging for Debian branch, upstream, updated. 2.6.5-303-gfcfa26a

Thu Mar 17 10:47:58 UTC 2011

The following commit has been merged in the upstream branch:
commit ac2262d071cc2c9841843354585980696c689ca3
Author: Jesse Wolfe <jes5199 at gmail.com>
Date:   Fri Feb 25 13:45:10 2011 -0800

    (#3999) Allow disabling of default SELinux context detection for files
    
    In most cases on a system with SELinux, it is preferred to use
    the SELinux matchpathcon call to determine the default context that
    a file should have to make sure that files Puppet modifies are
    labeled with the correct SELinux security context.
    
    In the event that you wanted to override some or all of the default
    context, you can use the SELinux attributes Puppet provides to do
    that. If left unspecified the defaults will apply if matchpathcon has
    defaults.
    
    This patch adds a new selinux_ignore_defaults parameter which
    will cause Puppet to assume no defaults, allowing the file's
    SELinux label to be left unmodified, if desired.
    
    Originally-by: Sean Millichamp <sean at bruenor.org>
    Signed-off-by: Jesse Wolfe <jes5199 at gmail.com>

diff --git a/lib/puppet/type/file/selcontext.rb b/lib/puppet/type/file/selcontext.rb
index a33c6a0..ea385ee 100644
--- a/lib/puppet/type/file/selcontext.rb
+++ b/lib/puppet/type/file/selcontext.rb
@@ -32,9 +32,14 @@ module Puppet
     end
 
     def retrieve_default_context(property)
+      if @resource[:selinux_ignore_defaults] == :true
+        return nil
+      end
+
       unless context = self.get_selinux_default_context(@resource[:path])
         return nil
       end
+
       property_default = self.parse_selinux_context(property, context)
       self.debug "Found #{property} default '#{property_default}' for #{@resource[:path]}" if not property_default.nil?
       property_default
@@ -54,6 +59,17 @@ module Puppet
     end
   end
 
+  Puppet::Type.type(:file).newparam(:selinux_ignore_defaults) do
+    desc "If this is set then Puppet will not ask SELinux (via matchpathcon) to
+      supply defaults for the SELinux attributes (seluser, selrole,
+      seltype, and selrange). In general, you should leave this set at its
+      default and only set it to true when you need Puppet to not try to fix
+      SELinux labels automatically."
+    newvalues(:true, :false)
+
+    defaultto :false
+  end
+
   Puppet::Type.type(:file).newproperty(:seluser, :parent => Puppet::SELFileContext) do
     desc "What the SELinux user component of the context of the file should be.
       Any valid SELinux user component is accepted.  For example `user_u`.
diff --git a/spec/unit/type/file/selinux_spec.rb b/spec/unit/type/file/selinux_spec.rb
index 043471d..a2444ac 100644
--- a/spec/unit/type/file/selinux_spec.rb
+++ b/spec/unit/type/file/selinux_spec.rb
@@ -66,6 +66,11 @@ Dir.chdir(File.dirname(__FILE__)) { (s = lambda { |f| File.exist?(f) ? require(f
       @sel.default.must == expectedresult
     end
 
+    it "should return nil for defaults if selinux_ignore_defaults is true" do
+      @resource[:selinux_ignore_defaults] = :true
+      @sel.default.must be_nil
+    end
+
     it "should be able to set a new context" do
       stat = stub 'stat', :ftype => "foo"
       @sel.should = %w{newone}

-- 
Puppet packaging for Debian

