SELinux updates.

Updates to the tests to make them work when SELinux is in enforcing mode. Also update the documentation with information on what needs to be done if you're using custom paths with SELinux.
xbezdick · May 8, 2014 · 8f03f6c · 8f03f6c
1 parent 82a6ba0
commit 8f03f6c
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -1823,10 +1823,41 @@ The `apache::vhost::WSGIImportScript` parameter creates a statement inside the V
 
 ###General
 
-This module is CI tested on Centos 5 & 6, Ubuntu 12.04, Debian 7, and RHEL 5 & 6 platforms against both the OSS and Enterprise version of Puppet. 
+This module is CI tested on Centos 5 & 6, Ubuntu 12.04 & 14.04, Debian 7, and RHEL 5, 6 & 7 platforms against both the OSS and Enterprise version of Puppet. 
 
 The module contains support for other distributions and operating systems, such as FreeBSD and Amazon Linux, but is not formally tested on those and regressions may occur.
 
+###SELinux and Custom Paths
+
+If you are running with SELinux in enforcing mode and want to use custom paths for your `logroot`, `mod_dir`, `vhost_dir`, and `docroot`, you will need to manage the context for the files yourself.
+
+Something along the lines of:
+
+```puppet
+        exec { 'set_apache_defaults':
+          command => 'semanage fcontext -a -t httpd_sys_content_t "/custom/path(/.*)?"',
+          path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+          require => Package['policycoreutils-python'],
+        }
+        package { 'policycoreutils-python': ensure => installed }
+        exec { 'restorecon_apache':
+          command => 'restorecon -Rv /apache_spec',
+          path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+          before  => Service['httpd'],
+          require => Class['apache'],
+        }
+        class { 'apache': }
+        host { 'test.server': ip => '127.0.0.1' }
+        file { '/custom/path': ensure => directory, }
+        file { '/custom/path/include': ensure => present, content => '#additional_includes' }
+        apache::vhost { 'test.server':
+          docroot             => '/custom/path',
+          additional_includes => '/custom/path/include',
+        }
+```
+
+You need to set the contexts using `semanage fcontext` not `chcon` because `file {...}` resources will reset the context to the values in the database if the resource isn't specifying the context.
+
 ##Development
 
 ###Contributing

diff --git a/spec/acceptance/apache_parameters_spec.rb b/spec/acceptance/apache_parameters_spec.rb
@@ -329,6 +329,20 @@ class { 'apache':
     describe 'setup' do
       it 'applies cleanly' do
         pp = <<-EOS
+          if $::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7' {
+            package { 'policycoreutils-python': ensure => installed }
+            exec { 'set_apache_defaults':
+              command => 'semanage fcontext -a -t httpd_log_t "/apache_spec(/.*)?"',
+              path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+              require => Package['policycoreutils-python'],
+            }
+            exec { 'restorecon_apache':
+              command => 'restorecon -Rv /apache_spec',
+              path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+              before  => Service['httpd'],
+              require => Class['apache'],
+            }
+          }
           file { '/apache_spec': ensure => directory, }
           class { 'apache': logroot => '/apache_spec' }
         EOS

diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb
@@ -38,6 +38,20 @@ class { 'apache': }
     # Using puppet_apply as a helper
     it 'should work with no errors' do
       pp = <<-EOS
+      if $::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7' {
+        package { 'policycoreutils-python': ensure => installed }
+        exec { 'set_apache_defaults':
+          command => 'semanage fcontext -a -t httpd_sys_content_t "/apache_spec(/.*)?"',
+          path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+          require => Package['policycoreutils-python'],
+        }
+        exec { 'restorecon_apache':
+          command => 'restorecon -Rv /apache_spec',
+          path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+          before  => Service['httpd'],
+          require => Class['apache'],
+        }
+      }
       file { '/apache_spec': ensure => directory, }
       file { '/apache_spec/apache_custom': ensure => directory, }
       class { 'apache':

diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb
@@ -1041,6 +1041,20 @@ class { 'apache::mod::fastcgi': }
   describe 'additional_includes' do
     it 'applies cleanly' do
       pp = <<-EOS
+        if $::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7' {
+          exec { 'set_apache_defaults':
+            command => 'semanage fcontext -a -t httpd_sys_content_t "/apache_spec(/.*)?"',
+            path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+            require => Package['policycoreutils-python'],
+          }
+          package { 'policycoreutils-python': ensure => installed }
+          exec { 'restorecon_apache':
+            command => 'restorecon -Rv /apache_spec',
+            path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+            before  => Service['httpd'],
+            require => Class['apache'],
+          }
+        }
         class { 'apache': }
         host { 'test.server': ip => '127.0.0.1' }
         file { '/apache_spec': ensure => directory, }