puppetlabs · mihaibuzgau · Jul 23, 2019 · Jul 1, 2019
diff --git a/lib/puppet/provider/file/posix.rb b/lib/puppet/provider/file/posix.rb
@@ -8,6 +8,11 @@
   include Puppet::Util::Warnings
 
   require 'etc'
+  require 'puppet/util/selinux'
+
+  def self.post_resource_eval
+    Selinux.matchpathcon_fini if Puppet::Util::SELinux.selinux_support?
+  end
 
   def uid2name(id)
     return id.to_s if id.is_a?(Symbol) or id.is_a?(String)

diff --git a/lib/puppet/util/selinux.rb b/lib/puppet/util/selinux.rb
@@ -13,14 +13,18 @@
 
 module Puppet::Util::SELinux
 
-  def selinux_support?
+  def self.selinux_support?
     return false unless defined?(Selinux)
     if Selinux.is_selinux_enabled == 1
       return true
     end
     false
   end
 
+  def selinux_support?
+    Puppet::Util::SELinux.selinux_support?
+  end
+
   # Retrieve and return the full context of the file.  If we don't have
   # SELinux support or if the SELinux call fails then return nil.
   def get_selinux_current_context(file)

diff --git a/spec/unit/transaction_spec.rb b/spec/unit/transaction_spec.rb
@@ -778,6 +778,24 @@ def post_resource_eval
 
       transaction.evaluate
     end
+
+    it "should call Selinux.matchpathcon_fini in case Selinux is enabled ", :if => Puppet.features.posix? do
+      unless defined?(Selinux)
+        module Selinux
+          def self.is_selinux_enabled
+            true
+          end
+        end
+      end
+
+      resource = Puppet::Type.type(:file).new(:path => make_absolute("/tmp/foo"))
+      transaction = transaction_with_resource(resource)
+
+      expect(Selinux).to receive(:matchpathcon_fini)
+      expect(Puppet::Util::SELinux).to receive(:selinux_support?).and_return(true)
+
+      transaction.evaluate
+    end
   end
 
   describe 'when checking application run state' do