Merge pull request #724 from mhaskel/selinux

SELinux updates.
xbezdick · May 9, 2014 · c6aa70a · c6aa70a
2 parents 2cc4b5f + 8f03f6c
commit c6aa70a
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -1823,10 +1823,41 @@ The `apache::vhost::WSGIImportScript` parameter creates a statement inside the V
 
 ###General
 
-This module is CI tested on Centos 5 & 6, Ubuntu 12.04, Debian 7, and RHEL 5 & 6 platforms against both the OSS and Enterprise version of Puppet. 
+This module is CI tested on Centos 5 & 6, Ubuntu 12.04 & 14.04, Debian 7, and RHEL 5, 6 & 7 platforms against both the OSS and Enterprise version of Puppet. 
 
 The module contains support for other distributions and operating systems, such as FreeBSD and Amazon Linux, but is not formally tested on those and regressions may occur.
 
+###SELinux and Custom Paths
+
+If you are running with SELinux in enforcing mode and want to use custom paths for your `logroot`, `mod_dir`, `vhost_dir`, and `docroot`, you will need to manage the context for the files yourself.
+
+Something along the lines of:
+
+```puppet
+        exec { 'set_apache_defaults':
+          command => 'semanage fcontext -a -t httpd_sys_content_t "/custom/path(/.*)?"',
+          path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+          require => Package['policycoreutils-python'],
+        }
+        package { 'policycoreutils-python': ensure => installed }
+        exec { 'restorecon_apache':
+          command => 'restorecon -Rv /apache_spec',
+          path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+          before  => Service['httpd'],
+          require => Class['apache'],
+        }
+        class { 'apache': }
+        host { 'test.server': ip => '127.0.0.1' }
+        file { '/custom/path': ensure => directory, }
+        file { '/custom/path/include': ensure => present, content => '#additional_includes' }
+        apache::vhost { 'test.server':
+          docroot             => '/custom/path',
+          additional_includes => '/custom/path/include',
+        }
+```
+
+You need to set the contexts using `semanage fcontext` not `chcon` because `file {...}` resources will reset the context to the values in the database if the resource isn't specifying the context.
+
 ##Development
 
 ###Contributing

diff --git a/spec/acceptance/apache_parameters_spec.rb b/spec/acceptance/apache_parameters_spec.rb
@@ -329,6 +329,20 @@ class { 'apache':
     describe 'setup' do
       it 'applies cleanly' do
         pp = <<-EOS
+          if $::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7' {
+            package { 'policycoreutils-python': ensure => installed }
+            exec { 'set_apache_defaults':
+              command => 'semanage fcontext -a -t httpd_log_t "/apache_spec(/.*)?"',
+              path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+              require => Package['policycoreutils-python'],
+            }
+            exec { 'restorecon_apache':
+              command => 'restorecon -Rv /apache_spec',
+              path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+              before  => Service['httpd'],
+              require => Class['apache'],
+            }
+          }
           file { '/apache_spec': ensure => directory, }
           class { 'apache': logroot => '/apache_spec' }
         EOS

diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb
@@ -38,6 +38,20 @@ class { 'apache': }
     # Using puppet_apply as a helper
     it 'should work with no errors' do
       pp = <<-EOS
+      if $::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7' {
+        package { 'policycoreutils-python': ensure => installed }
+        exec { 'set_apache_defaults':
+          command => 'semanage fcontext -a -t httpd_sys_content_t "/apache_spec(/.*)?"',
+          path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+          require => Package['policycoreutils-python'],
+        }
+        exec { 'restorecon_apache':
+          command => 'restorecon -Rv /apache_spec',
+          path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+          before  => Service['httpd'],
+          require => Class['apache'],
+        }
+      }
       file { '/apache_spec': ensure => directory, }
       file { '/apache_spec/apache_custom': ensure => directory, }
       class { 'apache':

diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb
@@ -1041,6 +1041,20 @@ class { 'apache::mod::fastcgi': }
   describe 'additional_includes' do
     it 'applies cleanly' do
       pp = <<-EOS
+        if $::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7' {
+          exec { 'set_apache_defaults':
+            command => 'semanage fcontext -a -t httpd_sys_content_t "/apache_spec(/.*)?"',
+            path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+            require => Package['policycoreutils-python'],
+          }
+          package { 'policycoreutils-python': ensure => installed }
+          exec { 'restorecon_apache':
+            command => 'restorecon -Rv /apache_spec',
+            path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
+            before  => Service['httpd'],
+            require => Class['apache'],
+          }
+        }
         class { 'apache': }
         host { 'test.server': ip => '127.0.0.1' }
         file { '/apache_spec': ensure => directory, }