From 8fa18ba136c2730a4c1c68887409a8ea64b6c881 Mon Sep 17 00:00:00 2001
From: Yolanda Robla Mota <yroblamo@redhat.com>
Date: Thu, 21 Jul 2016 13:17:38 +0200
Subject: [PATCH] Fix selinux problems on vhost

When running on CentOS, that problem still persists: when trying
to access files under a vhost, apache was failing with
Access denied because search permissions are missing.

So running chcon on the docroot for each vhost

Please note that this change was reverted before. That was caused
by puppet-cgit sending a dummy location "MEANINGLESS ARGUMENT"
to docroot argument of vhost. To avoid that failure, execute only
the chcon call if docroot exists and is a directory.

Change-Id: I4ab7d4cc6d2115bd8f980be7f14a6a4557ffeb87
---
 manifests/vhost.pp | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/manifests/vhost.pp b/manifests/vhost.pp
index 86e4870..4a32853 100644
--- a/manifests/vhost.pp
+++ b/manifests/vhost.pp
@@ -72,6 +72,21 @@ define httpd::vhost(
     httpd::mod { 'version': ensure => present }
   }
 
+  # selinux may deny directory listing and access to subdirectories
+  # so update context to allow it
+  if $::osfamily == 'RedHat' {
+    if ! defined(Exec["update_context_${docroot}"]) {
+      exec { "update_context_${docroot}":
+        command => "chcon -R -t httpd_sys_content_t ${docroot}/",
+        unless  => "ls -lZ ${docroot} | grep httpd_sys_content_t",
+        onlyif  =>  "test -d ${docroot}",
+        path    => '/bin:/usr/bin:/usr/local/bin:/usr/sbin',
+        require => Package['httpd'],
+        notify  => Service['httpd'],
+      }
+    }
+  }
+
   file { "${priority}-${name}.conf":
       path    => "${httpd::params::vdir}/${priority}-${name}.conf",
       content => template($template),