[issue #119] Update fcontext to allow override of built-in types

resources/fcontext.rb

@@ -93,7 +93,14 @@ def relabel_files
     return
   end
 
-  unless current_file_context
+  # "add" is performed in two scenarios.
+  # 1: The local file_contexts.local has an entry for new_resource.file_spec, but secontext <> new_resource.secontext
+  # 2. The local file_contexts.local does NOT have an entry for new_resource.file_spec, AND
+  #    either the system default (file_contexts) does not have an entry for new_resource.file_spec, or the secontext <> new_resource.secontext
+  # In both scenarios, file_contexts.local is created with a new entry, or the secontext is updated.
+
+  cfc = current_file_context
+  unless cfc && cfc == new_resource.secontext
     converge_by "adding label #{new_resource.secontext} to #{new_resource.file_spec}" do
       shell_out!("semanage fcontext -a -f #{new_resource.file_type} -t #{new_resource.secontext} '#{new_resource.file_spec}'")
       relabel_files

test/cookbooks/selinux_test/recipes/fcontext.rb

@@ -21,3 +21,40 @@
   secontext 'etc_t'
   file_type 'd'
 end
+
+# testing override of built-in context, using '/home/[^/]+/\.ssh(/.*)?'
+# Use converge counter so we only do the fcontext manipulation in first round. Otherwise
+# the "enforce_idempotency" will cause converge to fail.
+
+node.run_state['chef_converge_counter'] = `cat /tmp/chef_converge_counter 2>/dev/null`.to_i
+node.run_state['chef_converge_counter'] += 1
+file '/tmp/chef_converge_counter' do
+  content lazy { node.run_state['chef_converge_counter'].to_s }
+  mode '0644'
+  only_if { node.run_state['chef_converge_counter'] == 1 }
+end
+
+execute 'Check built-in fcontext' do
+  command 'matchpathcon /home/user1/.ssh | grep ssh_home_t'
+  only_if { node.run_state['chef_converge_counter'] == 1 }
+end
+
+# override with 'shadow_t'
+selinux_fcontext '/home/[^/]+/\.ssh(/.*)?' do
+  secontext 'shadow_t'
+  action :add
+  only_if { node.run_state['chef_converge_counter'] == 1 }
+end
+
+execute 'Check fcontext override' do
+  command 'matchpathcon /home/user1/.ssh | grep shadow_t'
+  only_if { node.run_state['chef_converge_counter'] == 1 }
+end
+
+# remove the override
+selinux_fcontext '/home/[^/]+/\.ssh(/.*)?' do
+  action :delete
+  only_if { node.run_state['chef_converge_counter'] == 1 }
+end
+
+

test/integration/fcontext/controls/fcontext_control.rb

@@ -19,3 +19,12 @@
     its('selinux_label') { should match 'etc_t' }
   end
 end
+
+control 'fcontext override' do
+  title 'Verify that built-in SELinux file contexts override works correctly'
+
+  describe command('matchpathcon /home/user1/.ssh') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /ssh_home_t/ }
+  end
+end