# profiles::selinux::mysqld
# selinux settings for mysqld and galera
class profiles::selinux::mysqld (
  Stdlib::Absolutepath  $datadir = '/var/lib/mysql',
  Boolean               $persistent = true,
  Boolean               $mysql_connect_any = true,
  Boolean               $selinuxuser_mysql_connect_enabled = true,
  String                $selinux_mode = 'enforcing',
){

  # setenforce
  class { 'profiles::selinux::setenforce':
    mode => $selinux_mode,
  }

  # set mysqld_db_t to all files under the datadir
  selinux::fcontext { $datadir:
    ensure   => 'present',
    seltype  => 'mysqld_db_t',
    pathspec => "${datadir}(/.*)?",
  }

  # make sure we can connect to mysql on the local system
  selboolean { 'selinuxuser_mysql_connect_enabled':
    persistent => $persistent,
    value      => $selinuxuser_mysql_connect_enabled,
  }

  # make sure mysql can connect to other hosts
  selboolean { 'mysql_connect_any':
    persistent => $persistent,
    value      => $mysql_connect_any,
  }

  exec { "restorecon_${datadir}":
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    command     => "restorecon -Rv ${datadir}",
    refreshonly => true,
    subscribe   => Selinux::Fcontext[$datadir],
  }
}