Change - Ensure that postgres directories have proper SELinux labels

Michael Watters · Michael Watters · commit 8854a1c738bf · 2016-12-22T11:46:11.000-05:00
The postgresql data directory and log directory need to have proper
SELinux labels set when SELinux is enabled.
diff --git a/manifests/server/initdb.pp b/manifests/server/initdb.pp
@@ -22,30 +22,43 @@
     cwd        => $module_workdir,
   }
 
+  if $::osfamily == 'RedHat' and $::selinux == true {
+    $seltype = 'postgresql_db_t'
+    $logdir_type = 'postgresql_log_t'
+  }
+
+  else {
+    $seltype = undef
+    $logdir_type = undef
+  }
+
   # Make sure the data directory exists, and has the correct permissions.
   file { $datadir:
-    ensure => directory,
-    owner  => $user,
-    group  => $group,
-    mode   => '0700',
+    ensure  => directory,
+    owner   => $user,
+    group   => $group,
+    mode    => '0700',
+    seltype => $seltype,
   }
 
   if($xlogdir) {
     # Make sure the xlog directory exists, and has the correct permissions.
     file { $xlogdir:
-      ensure => directory,
-      owner  => $user,
-      group  => $group,
-      mode   => '0700',
+      ensure  => directory,
+      owner   => $user,
+      group   => $group,
+      mode    => '0700',
+      seltype => $seltype,
     }
   }
 
   if($logdir) {
     # Make sure the log directory exists, and has the correct permissions.
     file { $logdir:
-      ensure => directory,
-      owner  => $user,
-      group  => $group,
+      ensure  => directory,
+      owner   => $user,
+      group   => $group,
+      seltype => $logdir_type,
     }
   }
 
diff --git a/spec/unit/classes/server/config_spec.rb b/spec/unit/classes/server/config_spec.rb
@@ -15,6 +15,7 @@
         :kernel => 'Linux',
         :id => 'root',
         :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+        :selinux => true,
       }
     end
     it 'should have the correct systemd-override file' do
@@ -62,6 +63,7 @@ class { 'postgresql::server': }
         :kernel => 'Linux',
         :id => 'root',
         :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+        :selinux => true,
       }
     end
     it 'should have the correct systemd-override file' do
@@ -117,6 +119,7 @@ class { 'postgresql::server': }
         :kernel => 'Linux',
         :id => 'root',
         :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+        :selinux => false,
       }
     end
     it 'should have the correct systemd-override file' do
diff --git a/spec/unit/classes/server/initdb_spec.rb b/spec/unit/classes/server/initdb_spec.rb
@@ -14,6 +14,7 @@
         :kernel => 'Linux',
         :id => 'root',
         :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+        :selinux => true,
       }
     end
     it { is_expected.to contain_file('/var/lib/pgsql/data').with_ensure('directory') }
@@ -28,6 +29,7 @@
         :kernel => 'Linux',
         :id => 'root',
         :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+        :selinux => true,
       }
     end
     it { is_expected.to contain_file('/var/lib/pgsql92/data').with_ensure('directory') }
@@ -43,6 +45,7 @@
         :kernel => 'Linux',
         :id => 'root',
         :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+        :selinux => true,
       }
     end
     let (:pre_condition) do
@@ -71,6 +74,7 @@ class { 'postgresql::server': }
         :kernel => 'Linux',
         :id => 'root',
         :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+        :selinux => true,
       }
     end
     let (:pre_condition) do
@@ -99,6 +103,7 @@ class { 'postgresql::server': }
         :kernel => 'Linux',
         :id => 'root',
         :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+        :selinux => true,
       }
     end
 
diff --git a/spec/unit/classes/server/plpython_spec.rb b/spec/unit/classes/server/plpython_spec.rb
@@ -10,6 +10,7 @@
       :kernel => 'Linux',
       :id => 'root',
       :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+      :selinux => true,
     }
   end
 
diff --git a/spec/unit/defines/server/config_entry_spec.rb b/spec/unit/defines/server/config_entry_spec.rb
@@ -10,6 +10,7 @@
       :concat_basedir => tmpfilename('contrib'),
       :id => 'root',
       :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+      :selinux => true,
     }
   end
 
@@ -39,6 +40,7 @@
           :concat_basedir => tmpfilename('contrib'),
           :id => 'root',
           :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+          :selinux => true,
         }
       end
       let(:params) {{ :ensure => 'present', :name => 'port_spec', :value => '5432' }}
@@ -58,6 +60,7 @@
           :concat_basedir => tmpfilename('contrib'),
           :id => 'root',
           :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+          :selinux => true,
         }
       end
       let(:params) {{ :ensure => 'present', :name => 'port_spec', :value => '5432' }}
@@ -77,6 +80,7 @@
           :concat_basedir => tmpfilename('contrib'),
           :id => 'root',
           :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+          :selinux => true,
         }
       end
       let(:params) {{ :ensure => 'present', :name => 'port_spec', :value => '5432' }}

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@`
`10`	`10`	`:kernel => 'Linux',`
`11`	`11`	`:id => 'root',`
`12`	`12`	`:path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',`
	`13`	`+ :selinux => true,`
`13`	`14`	`}`
`14`	`15`	`end`
`15`	`16`