Fix label issues with home, project and scratch root folder (#96)

* Replace exec by selinux::fcontext::equivalence * Add restorecon to /project after mount * Add restorecon to home and scratch too
ComputeCanada · Feb 16, 2021 · 9577f25 · 9577f25
1 parent dcfeb5d
commit 9577f25
Showing 1 changed file with 20 additions and 12 deletions.
diff --git a/site/profile/manifests/nfs.pp b/site/profile/manifests/nfs.pp
@@ -141,13 +141,15 @@
       mountpath_require => true,
     }
 
-    exec { 'semanage_fcontext_mnt_home':
-      command => 'semanage fcontext -a -e /home /mnt/home',
-      unless  => 'grep -q "/mnt/home\s*/home" /etc/selinux/targeted/contexts/files/file_contexts.subs*',
-      path    => ['/bin', '/usr/bin', '/sbin','/usr/sbin'],
+    selinux::fcontext::equivalence { '/mnt/home':
+      ensure  => 'present',
+      target  => '/home',
       require => Mount['/mnt/home'],
+      notify  => Selinux::Exec_restorecon['/mnt/home']
     }
 
+    selinux::exec_restorecon { '/mnt/home': }
+
     nfs::server::export{ '/mnt/home' :
       ensure  => 'mounted',
       clients => "${cidr}(rw,async,root_squash,no_all_squash,security_label)",
@@ -191,12 +193,15 @@
       mountpath_require => true,
     }
 
-    exec { 'semanage_fcontext_project':
-      command => 'semanage fcontext -a -e /home /project',
-      unless  => 'grep -q "/project\s*/home" /etc/selinux/targeted/contexts/files/file_contexts.subs*',
-      path    => ['/bin', '/usr/bin', '/sbin','/usr/sbin'],
+    selinux::fcontext::equivalence { '/project':
+      ensure  => 'present',
+      target  => '/home',
       require => Mount['/project'],
+      notify  => Selinux::Exec_restorecon['/project']
     }
+
+    selinux::exec_restorecon { '/project': }
+
     nfs::server::export{ '/project':
       ensure  => 'mounted',
       clients => "${cidr}(rw,async,root_squash,no_all_squash,security_label)",
@@ -240,12 +245,15 @@
       mountpath_require => true,
     }
 
-    exec { 'semanage_fcontext_scratch':
-      command => 'semanage fcontext -a -e /home /scratch',
-      unless  => 'grep -q "/scratch\s*/home" /etc/selinux/targeted/contexts/files/file_contexts.subs*',
-      path    => ['/bin', '/usr/bin', '/sbin','/usr/sbin'],
+    selinux::fcontext::equivalence { '/scratch':
+      ensure  => 'present',
+      target  => '/home',
       require => Mount['/scratch'],
+      notify  => Selinux::Exec_restorecon['/scratch']
     }
+
+    selinux::exec_restorecon { '/scratch': }
+
     nfs::server::export{ '/scratch':
       ensure  => 'mounted',
       clients => "${cidr}(rw,async,root_squash,no_all_squash,security_label)",