From 1f43d95e12c1b92b8c197dcd68152a026b2f22c1 Mon Sep 17 00:00:00 2001
From: Arne Teuke <arne_teuke@confdroid.com>
Date: Sun, 2 Nov 2025 14:39:12 +0100
Subject: [PATCH] set seliux contexts for all files and directories  -
 https://gitlab.confdroid.com/internal/confdroid_management/-/issues/292

---
 manifests/main/files.pp | 89 ++++++++++++++++++++++++-----------------
 1 file changed, 53 insertions(+), 36 deletions(-)

diff --git a/manifests/main/files.pp b/manifests/main/files.pp
index 74b7a41..ad0c257 100644
--- a/manifests/main/files.pp
+++ b/manifests/main/files.pp
@@ -10,13 +10,17 @@ class puppet_cd::main::files (
 
   if $fqdn != $pt_pm_fqdn {
     file { $pt_puppet_conf_file:
-      ensure  => file,
-      path    => $pt_puppet_conf_file,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0644',
-      content => template($pt_puppet_conf_erb),
-      notify  => Service[$pt_agent_service],
+      ensure   => file,
+      path     => $pt_puppet_conf_file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_puppet_conf_erb),
+      notify   => Service[$pt_agent_service],
     }
     if $pt_use_puppetdb == true {
       file { $pt_node_rb_file:
@@ -39,45 +43,58 @@ class puppet_cd::main::files (
 
   if $fqdn == $pt_pm_fqdn {
     file { $pt_puppet_conf_file:
-      ensure  => file,
-      path    => $pt_puppet_conf_file,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0644',
-      content => template($pt_puppet_conf_erb),
-      notify  => Service[$pt_agent_service,$pt_server_service],
+      ensure   => file,
+      path     => $pt_puppet_conf_file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => puppet_etc_t,
+      seluser  => system_u,
+      content  => template($pt_puppet_conf_erb),
+      notify   => Service[$pt_agent_service,$pt_server_service],
     }
 
     if $pt_use_puppetdb == true {
       # puppetdb
       file { $pt_puppetdb_conf_file:
-        ensure  => file,
-        path    => $pt_puppetdb_conf_file,
-        owner   => 'root',
-        group   => 'root',
-        mode    => '0644',
-        content => template($pt_puppetdb_conf_erb),
-        notify  => Service[$pt_agent_service,$pt_server_service],
+        ensure   => file,
+        path     => $pt_puppetdb_conf_file,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0644',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => puppet_etc_t,
+        seluser  => system_u,
+        content  => template($pt_puppetdb_conf_erb),
+        notify   => Service[$pt_agent_service,$pt_server_service],
       }
       # routes.yaml
       file { $pt_routes_file:
-        ensure  => file,
-        path    => $pt_routes_file,
-        owner   => 'root',
-        group   => 'root',
-        mode    => '0644',
-        content => template($pt_routes_erb),
-        notify  => Service[$pt_server_service],
+        ensure   => file,
+        path     => $pt_routes_file,
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0644',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => puppet_etc_t,
+        seluser  => system_u,
+        content  => template($pt_routes_erb),
+        notify   => Service[$pt_server_service],
       }
       file { $pt_node_rb_file:
-        ensure  => file,
-        owner   => 'puppet',
-        group   => 'puppet',
-        mode    => '0550',
-        selrole => object_r,
-        seltype => foreman_enc_t,
-        seluser => system_u,
-        content => template($pt_node_rb_erb),
+        ensure   => file,
+        owner    => 'puppet',
+        group    => 'puppet',
+        mode     => '0550',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => foreman_enc_t,
+        seluser  => system_u,
+        content  => template($pt_node_rb_erb),
       }
     }
     if $pt_use_puppetdb != true {