Defined Type: selinux::fcontext

Defined in:
manifests/fcontext.pp

Overview

selinux::fcontext

This define can be used to manage custom SELinux fcontexts. For fcontext equivalences, see selinux::fcontext::equivalence

Examples:

Add a file-context for mysql log files at non standard location

selinux::fcontext{'set-mysql-log-context':
  seltype => "mysqld_log_t",
  pathspec => "/u01/log/mysql(/.*)?",
}

Add a file-context only for directory types

selinux::fcontext{'/u/users/[^/]*':
  filetype => 'd',
  seltype  => 'user_home_dir_t' ,
}

Parameters:

  • ensure (Enum['absent', 'present']) (defaults to: 'present')

    The desired state of the resource. Default: ‘present’

  • seltype (Optional[String]) (defaults to: undef)

    String A particular SELinux type, like “mysqld_log_t”

  • seluser (Optional[String]) (defaults to: undef)

    String A particular SELinux user, like “sysadm_u”

  • pathspec (String) (defaults to: $title)

    String An semanage fcontext-formatted path specification, like “/var/log/mysql(/.*)?”. Defaults to title

  • filetype (Optional[String]) (defaults to: 'a')

    File type the context applies to (i.e. regular file, directory, block device, all files, etc.)

    • Types:

      - a = all files (default value if not restricting filetype)
- f = regular file
- d = directory
- c = character device
- b = block device
- s = socket
- l = symbolic link
- p = named pipe



33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
# File 'manifests/fcontext.pp', line 33

define selinux::fcontext(
  String $pathspec                  = $title,
  Enum['absent', 'present'] $ensure = 'present',
  Optional[String] $seltype         = undef,
  Optional[String] $seluser         = undef,
  Optional[String] $filetype        = 'a',
) {

  include ::selinux
  if $ensure == 'present' {
  Anchor['selinux::module post']
  -> Selinux::Fcontext[$title]
  -> Anchor['selinux::end']
  } else {
    Anchor['selinux::start']
    -> Selinux::Fcontext[$title]
    -> Anchor['selinux::module pre']
  }

  if $filetype !~ /^(?:a|f|d|c|b|s|l|p)$/ {
    fail('"filetype" must be one of: a,f,d,c,b,s,l,p - see "man semanage-fcontext"')
  }

  # make sure the title is correct or the provider will misbehave
  selinux_fcontext {"${pathspec}_${filetype}":
    ensure    => $ensure,
    pathspec  => $pathspec,
    seltype   => $seltype,
    file_type => $filetype,
    seluser   => $seluser,
  }
}