Defined Type: selinux::fcontext

Defined in:
manifests/fcontext.pp

Overview

For fcontext equivalences, see selinux::fcontext::equivalence

Examples:

Add a file-context for mysql log files at non standard location

selinux::fcontext{'set-mysql-log-context':
  seltype  => 'mysqld_log_t',
  pathspec => '/u01/log/mysql(/.*)?',
}

Add a file-context only for directory types

selinux::fcontext{'/u/users/[^/]*':
  filetype => 'd',
  seltype  => 'user_home_dir_t' ,
}

Parameters:

  • ensure (Enum['absent', 'present']) (defaults to: 'present')

    The desired state of the resource. Default: ‘present’

  • seltype (Optional[String]) (defaults to: undef)

    String A particular SELinux type, like “mysqld_log_t”

  • seluser (Optional[String]) (defaults to: undef)

    String A particular SELinux user, like “sysadm_u”

  • pathspec (String) (defaults to: $title)

    String An semanage fcontext-formatted path specification, like “/var/log/mysql(/.*)?”. Defaults to title

  • filetype (Optional[String]) (defaults to: 'a')

    File type the context applies to (i.e. regular file, directory, block device, all files, etc.)

    • Types:

      - a = all files (default value if not restricting filetype)
- f = regular file
- d = directory
- c = character device
- b = block device
- s = socket
- l = symbolic link
- p = named pipe

See Also:



34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
 
# File 'manifests/fcontext.pp', line 34

define selinux::fcontext(
  String $pathspec                  = $title,
  Enum['absent', 'present'] $ensure = 'present',
  Optional[String] $seltype         = undef,
  Optional[String] $seluser         = undef,
  Optional[String] $filetype        = 'a',
) {

  include selinux
  if $ensure == 'present' {
  Anchor['selinux::module post']
  -> Selinux::Fcontext[$title]
  -> Anchor['selinux::end']
  } else {
    Anchor['selinux::start']
    -> Selinux::Fcontext[$title]
    -> Anchor['selinux::module pre']
  }

  if $filetype !~ /^(?:a|f|d|c|b|s|l|p)$/ {
    fail('"filetype" must be one of: a,f,d,c,b,s,l,p - see "man semanage-fcontext"')
  }

  # Do nothing unless SELinux is enabled
  if $facts['os']['selinux']['enabled'] {
    # make sure the title is correct or the provider will misbehave
    selinux_fcontext {"${pathspec}_${filetype}":
      ensure    => $ensure,
      pathspec  => $pathspec,
      seltype   => $seltype,
      file_type => $filetype,
      seluser   => $seluser,
    }
  }
}