# certbot::selinux
class certbot::selinux (
  Stdlib::Absolutepath  $data_root = $certbot::data_root,
) {

  if $::facts['os']['selinux']['config_mode'] == 'enforcing' {

    # set httpd_sys_content_t to all files under the www_root
    selinux::fcontext { "${data_root}/pub":
      ensure   => 'present',
      seltype  => 'httpd_sys_content_t',
      pathspec => "${data_root}/pub(/.*)?",
    }

    # make sure we can connect to other hosts
    selboolean { 'httpd_can_network_connect':
      persistent => true,
      value      => 'on',
    }
    selboolean { 'rsync_client':
      persistent => true,
      value      => 'on',
    }
    selboolean { 'rsync_export_all_ro':
      persistent => true,
      value      => 'on',
    }
    selboolean { 'rsync_full_access':
      persistent => true,
      value      => 'on',
    }

    exec { "restorecon_${data_root}/pub":
      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      command     => "restorecon -Rv ${data_root}/pub",
      refreshonly => true,
      subscribe   => Selinux::Fcontext["${data_root}/pub"],
    }
  }
}