gistfile1.txt

Now, lets start by looking at the existing perms, and running the file resource with selinux_ignore_defaults => true:

[root@centos-64-x64-vbox4210-nocm plugins]# ls -lZ /usr/local/nagios/libexec/check_md_raid
-rwxr-xr-x. root root system_u:object_r:nagios_services_plugin_exec_t:s0 /usr/local/nagios/libexec/check_md_raid
[root@centos-64-x64-vbox4210-nocm plugins]# cat /tmp/foo.pp
file { 'check_md_raid':
  ensure => present,
  content => 'foo',
  mode => '755',
  path => '/usr/local/nagios/libexec/check_md_raid',
  owner => 'root',
  group => 'root',
  selinux_ignore_defaults => true,
}
[root@centos-64-x64-vbox4210-nocm plugins]# puppet apply /tmp/foo.pp
Notice: Compiled catalog for centos-64-x64-vbox4210-nocm.vm in environment production in 0.06 seconds
Notice: Finished catalog run in 0.02 seconds

Lets return the setting to its defaults:

[root@centos-64-x64-vbox4210-nocm plugins]# vi /tmp/foo.pp
[root@centos-64-x64-vbox4210-nocm plugins]# cat /tmp/foo.pp
file { 'check_md_raid':
  ensure => present,
  content => 'foo',
  mode => '755',
  path => '/usr/local/nagios/libexec/check_md_raid',
  owner => 'root',
  group => 'root',
#  selinux_ignore_defaults => true,
}
[root@centos-64-x64-vbox4210-nocm plugins]# puppet apply /tmp/foo.pp
Notice: Compiled catalog for centos-64-x64-vbox4210-nocm.vm in environment production in 0.06 seconds
Notice: /File[check_md_raid]/seltype: seltype changed 'nagios_services_plugin_exec_t' to 'usr_t'
Notice: Finished catalog run in 0.03 seconds
[root@centos-64-x64-vbox4210-nocm plugins]# ls -lZ /usr/local/nagios/libexec/check_md_raid
-rwxr-xr-x. root root system_u:object_r:usr_t:s0       /usr/local/nagios/libexec/check_md_raid

As you can see, puppet's behaviour is to return the file to its defaults with selinux_ignore_defaults => false, but to leave it alone when set to true.