Merge c310386 into 3e637e3

README.md

@@ -67,9 +67,6 @@ running system.
   does) the order is important. If you add /my/folder before /my/folder/subfolder
   only /my/folder will match (limitation of SELinux). There is no such limitation
   to file-contexts defined in SELinux modules. (GH-121)
-* While SELinux is disabled the defined types `selinux::boolean`,
-  `selinux::fcontext`, `selinux::port` will produce puppet agent runtime errors
-  because the used tools fail.
 * If you try to remove a built-in permissive type, the operation will appear to succeed
   but will actually have no effect, making your puppet runs non-idempotent.
 * The `selinux_port` provider may misbehave if the title does not correspond to

manifests/boolean.pp

@@ -36,8 +36,11 @@
     default              => undef,
   }
 
-  selboolean { $name:
-    value      => $value,
-    persistent => $persistent,
+  # Do nothing unless SELinux is enabled
+  if $facts['selinux'] == true {
+    selboolean { $name:
+      value      => $value,
+      persistent => $persistent,
+    }
   }
 }

manifests/fcontext.pp

@@ -54,12 +54,15 @@
     fail('"filetype" must be one of: a,f,d,c,b,s,l,p - see "man semanage-fcontext"')
   }
 
-  # make sure the title is correct or the provider will misbehave
-  selinux_fcontext {"${pathspec}_${filetype}":
-    ensure    => $ensure,
-    pathspec  => $pathspec,
-    seltype   => $seltype,
-    file_type => $filetype,
-    seluser   => $seluser,
+  # Do nothing unless SELinux is enabled
+  if $facts['selinux'] == true {
+    # make sure the title is correct or the provider will misbehave
+    selinux_fcontext {"${pathspec}_${filetype}":
+      ensure    => $ensure,
+      pathspec  => $pathspec,
+      seltype   => $seltype,
+      file_type => $filetype,
+      seluser   => $seluser,
+    }
   }
 }

manifests/port.pp

@@ -56,11 +56,14 @@
     fail("Malformed port range: ${port_range}")
   }
 
-  selinux_port {"${protocol}_${range[0]}-${range[1]}":
-    ensure    => $ensure,
-    low_port  => $range[0],
-    high_port => $range[1],
-    seltype   => $seltype,
-    protocol  => $protocol,
+  # Do nothing unless SELinux is enabled
+  if $facts['selinux'] == true {
+    selinux_port {"${protocol}_${range[0]}-${range[1]}":
+      ensure    => $ensure,
+      low_port  => $range[0],
+      high_port => $range[1],
+      seltype   => $seltype,
+      protocol  => $protocol,
+    }
   }
 }

spec/defines/selinux_boolean_spec.rb

@@ -12,39 +12,80 @@
       it { is_expected.to contain_selinux__boolean('mybool').that_requires('Anchor[selinux::module post]') }
       it { is_expected.to contain_selinux__boolean('mybool').that_comes_before('Anchor[selinux::end]') }
 
-      ['on', true, 'present'].each do |value|
-        context value do
-          let(:params) do
-            {
-              ensure: value
-            }
+      context "SELinux enabled" do
+        let(:facts) do
+          facts.merge({ :selinux => true })
+        end
+
+        ['on', true, 'present'].each do |value|
+          context value do
+            let(:params) do
+              {
+                ensure: value
+              }
+            end
+
+            it do
+              is_expected.to contain_selboolean('mybool').with(
+                'value'      => 'on',
+                'persistent' => true
+              )
+            end
           end
+        end
+
+        ['off', false, 'absent'].each do |value|
+          context value do
+            let(:params) do
+              {
+                ensure: value
+              }
+            end
 
-          it do
-            is_expected.to contain_selboolean('mybool').with(
-              'value'      => 'on',
-              'persistent' => true
-            )
+            it do
+              is_expected.to contain_selboolean('mybool').with(
+                'value'      => 'off',
+                'persistent' => true
+              )
+            end
           end
         end
       end
 
-      ['off', false, 'absent'].each do |value|
-        context value do
-          let(:params) do
-            {
-              ensure: value
-            }
+      context "SELinux disabled" do
+        let(:facts) do
+          facts.merge({ :selinux => false })
+        end
+
+        ['on', true, 'present'].each do |value|
+          context value do
+            let(:params) do
+              {
+                ensure: value
+              }
+            end
+
+            it do
+              is_expected.not_to contain_selboolean('mybool')
+            end
           end
+        end
 
-          it do
-            is_expected.to contain_selboolean('mybool').with(
-              'value'      => 'off',
-              'persistent' => true
-            )
+        ['off', false, 'absent'].each do |value|
+          context value do
+            let(:params) do
+              {
+                ensure: value
+              }
+            end
+
+            it do
+              is_expected.not_to contain_selboolean('mybool')
+            end
           end
         end
       end
+
     end
   end
 end

spec/defines/selinux_fcontext_spec.rb

@@ -6,7 +6,7 @@
   on_supported_os.each do |os, facts|
     context "on #{os}" do
       let(:facts) do
-        facts
+        facts.merge({ :selinux => true })
       end
 
       context 'ordering' do

spec/defines/selinux_port_spec.rb

@@ -6,7 +6,7 @@
   on_supported_os.each do |os, facts|
     context "on #{os}" do
       let(:facts) do
-        facts
+        facts.merge({ :selinux => true })
       end
 
       context 'ordering' do