# profiles::edgecache::selinux
class profiles::edgecache::selinux {

  include profiles::edgecache::params

  $data_root  = $profiles::edgecache::params::data_root

  if $::facts['os']['selinux']['config_mode'] == 'enforcing' {

    # set httpd_sys_content_t to all files under the www_root
    selinux::fcontext { "${data_root}/pub":
      ensure   => 'present',
      seltype  => 'httpd_sys_content_t',
      pathspec => "${data_root}/pub(/.*)?",
    }

    # set httpd_sys_rw_content_t to all files under the cache_root
    selinux::fcontext { "${data_root}/cache":
      ensure   => 'present',
      seltype  => 'httpd_sys_rw_content_t',
      pathspec => "${data_root}/cache(/.*)?",
    }
    selinux::fcontext { "${data_root}/cache_tmp":
      ensure   => 'present',
      seltype  => 'httpd_sys_rw_content_t',
      pathspec => "${data_root}/cache_tmp(/.*)?",
    }

    # make sure we can connect to other hosts
    selboolean { 'httpd_can_network_connect':
      persistent => true,
      value      => 'on',
    }

    exec { "restorecon_${data_root}/pub":
      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      command     => "restorecon -Rv ${data_root}/pub",
      refreshonly => true,
      subscribe   => Selinux::Fcontext["${data_root}/pub"],
    }

    exec { "restorecon_${data_root}/cache":
      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      command     => "restorecon -Rv ${data_root}/cache",
      refreshonly => true,
      subscribe   => Selinux::Fcontext["${data_root}/cache"],
    }

    exec { "restorecon_${data_root}/cache_tmp":
      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      command     => "restorecon -Rv ${data_root}/cache_tmp",
      refreshonly => true,
      subscribe   => Selinux::Fcontext["${data_root}/cache_tmp"],
    }
  }
}