Module Puppet::Util::SELinux
In: lib/puppet/util/selinux.rb

Methods

Public Instance methods

Internal helper function to return which type of filesystem a given file path resides on

Retrieve and return the full context of the file. If we don‘t have SELinux support or if the SELinux call fails then return nil.

Retrieve and return the default context of the file. If we don‘t have SELinux support or if the SELinux call fails to file a default then return nil.

Take the full SELinux context returned from the tools and parse it out to the three (or four) component parts. Supports :seluser, :selrole, :seltype, and on systems with range support, :selrange.

Internal helper function to read and parse /proc/mounts

Check filesystem a path resides on for SELinux support against whitelist of known-good filesystems. Returns true if the filesystem can support SELinux labels and false if not.

This updates the actual SELinux label on the file. You can update only a single component or update the entire context. The caveat is that since setting a partial context makes no sense the file has to already exist. Puppet (via the File resource) will always just try to set components, even if all values are specified by the manifest. I believe that the OS should always provide at least a fall-through context though on any well-running system.

Since this call relies on get_selinux_default_context it also needs a full non-relative path to the file. Fortunately, that seems to be all Puppet uses. This will set the file‘s SELinux context to the policy‘s default context (if any) if it differs from the context currently on the file.

[Validate]