Merge pull request #724 from mhaskel/selinux

Ashley Penney · Ashley Penney · commit c6aa70a64e1f · 2014-05-09T15:13:28.000-04:00
SELinux updates.
diff --git a/README.md b/README.md
@@ -1823,10 +1823,41 @@ The `apache::vhost::WSGIImportScript` parameter creates a statement inside the V
 
 ###General
 
-This module is CI tested on Centos 5 & 6, Ubuntu 12.04, Debian 7, and RHEL 5 & 6 platforms against both the OSS and Enterprise version of Puppet. 
+This module is CI tested on Centos 5 & 6, Ubuntu 12.04 & 14.04, Debian 7, and RHEL 5, 6 & 7 platforms against both the OSS and Enterprise version of Puppet. 
 
 The module contains support for other distributions and operating systems, such as FreeBSD and Amazon Linux, but is not formally tested on those and regressions may occur.
 
+###SELinux and Custom Paths
+
+If you are running with SELinux in enforcing mode and want to use custom paths for your `logroot`, `mod_dir`, `vhost_dir`, and `docroot`, you will need to manage the context for the files yourself.
+
+Something along the lines of:
+
+```puppet
+        exec { 'set_apache_defaults':
+          command => 'semanage fcontext -a -t httpd_sys_content_t "/custom/path(/.*)?"',
+          path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+          require => Package['policycoreutils-python'],
+        }
+        package { 'policycoreutils-python': ensure => installed }
+        exec { 'restorecon_apache':
+          command => 'restorecon -Rv /apache_spec',
+          path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+          before  => Service['httpd'],
+          require => Class['apache'],
+        }
+        class { 'apache': }
+        host { 'test.server': ip => '127.0.0.1' }
+        file { '/custom/path': ensure => directory, }
+        file { '/custom/path/include': ensure => present, content => '#additional_includes' }
+        apache::vhost { 'test.server':
+          docroot             => '/custom/path',
+          additional_includes => '/custom/path/include',
+        }
+```
+
+You need to set the contexts using `semanage fcontext` not `chcon` because `file {...}` resources will reset the context to the values in the database if the resource isn't specifying the context.
+
 ##Development
 
 ###Contributing
diff --git a/spec/acceptance/apache_parameters_spec.rb b/spec/acceptance/apache_parameters_spec.rb
@@ -329,6 +329,20 @@ class { 'apache':
     describe 'setup' do
       it 'applies cleanly' do
         pp = <<-EOS
+          if $::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7' {
+            package { 'policycoreutils-python': ensure => installed }
+            exec { 'set_apache_defaults':
+              command => 'semanage fcontext -a -t httpd_log_t "/apache_spec(/.*)?"',
+              path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+              require => Package['policycoreutils-python'],
+            }
+            exec { 'restorecon_apache':
+              command => 'restorecon -Rv /apache_spec',
+              path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+              before  => Service['httpd'],
+              require => Class['apache'],
+            }
+          }
           file { '/apache_spec': ensure => directory, }
           class { 'apache': logroot => '/apache_spec' }
         EOS
diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb
@@ -38,6 +38,20 @@ class { 'apache': }
     # Using puppet_apply as a helper
     it 'should work with no errors' do
       pp = <<-EOS
+      if $::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7' {
+        package { 'policycoreutils-python': ensure => installed }
+        exec { 'set_apache_defaults':
+          command => 'semanage fcontext -a -t httpd_sys_content_t "/apache_spec(/.*)?"',
+          path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+          require => Package['policycoreutils-python'],
+        }
+        exec { 'restorecon_apache':
+          command => 'restorecon -Rv /apache_spec',
+          path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+          before  => Service['httpd'],
+          require => Class['apache'],
+        }
+      }
       file { '/apache_spec': ensure => directory, }
       file { '/apache_spec/apache_custom': ensure => directory, }
       class { 'apache':
diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb
@@ -1041,6 +1041,20 @@ class { 'apache::mod::fastcgi': }
   describe 'additional_includes' do
     it 'applies cleanly' do
       pp = <<-EOS
+        if $::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7' {
+          exec { 'set_apache_defaults':
+            command => 'semanage fcontext -a -t httpd_sys_content_t "/apache_spec(/.*)?"',
+            path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+            require => Package['policycoreutils-python'],
+          }
+          package { 'policycoreutils-python': ensure => installed }
+          exec { 'restorecon_apache':
+            command => 'restorecon -Rv /apache_spec',
+            path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+            before  => Service['httpd'],
+            require => Class['apache'],
+          }
+        }
         class { 'apache': }
         host { 'test.server': ip => '127.0.0.1' }
         file { '/apache_spec': ensure => directory, }
