From cef0960c6dccf9e12be5166586e17a49348963b0 Mon Sep 17 00:00:00 2001
From: Colleen Murphy <colleen.murphy@suse.de>
Date: Tue, 10 Jul 2018 20:51:27 +0200
Subject: [PATCH] Explicitly set selinux seltype for rules link

Puppet seems to have some issue with creating a symlink in
/etc/sysconfig on CentOS, where it creates the link on the first run and
then corrects the seltype on the second run, breaking idempotency tests.
If we make sure to explicitly set it up front, puppet doesn't get
confused. This patch also removes the mode setting since setting the
permissions mode on a symlink doesn't make sense.

Change-Id: I7019c48220425fc583b9b431eff08a6261ee2ebc
---
 manifests/init.pp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index 9690e67..e264384 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -125,11 +125,17 @@ class iptables(
     notify  => $notify_iptables,
   }
 
+  if $::osfamily == 'redhat' {
+    $seltype = 'etc_t'
+  } else {
+    $seltype = undef
+  }
+
   file { $::iptables::params::ipv4_rules:
     ensure  => link,
     owner   => 'root',
     group   => 'root',
-    mode    => '0640',
+    seltype => $seltype,
     target  => "${::iptables::params::rules_dir}/rules",
     require => File["${::iptables::params::rules_dir}/rules"],
     notify  => $notify_iptables,