diff --git a/lib/puppet/type/file/selcontext.rb b/lib/puppet/type/file/selcontext.rb
index a33c6a000..ea385eec0 100644
--- a/lib/puppet/type/file/selcontext.rb
+++ b/lib/puppet/type/file/selcontext.rb
@@ -1,103 +1,119 @@
 # Manage SELinux context of files.
 #
 # This code actually manages three pieces of data in the context.
 #
 # [root@delenn files]# ls -dZ /
 # drwxr-xr-x  root root system_u:object_r:root_t         /
 #
 # The context of '/' here is 'system_u:object_r:root_t'.  This is
 # three seperate fields:
 #
 # system_u is the user context
 # object_r is the role context
 # root_t is the type context
 #
 # All three of these fields are returned in a single string by the
 # output of the stat command, but set individually with the chcon
 # command.  This allows the user to specify a subset of the three
 # values while leaving the others alone.
 #
 # See http://www.nsa.gov/selinux/ for complete docs on SELinux.
 
 module Puppet
   require 'puppet/util/selinux'
 
   class SELFileContext < Puppet::Property
     include Puppet::Util::SELinux
 
     def retrieve
       return :absent unless @resource.stat(false)
       context = self.get_selinux_current_context(@resource[:path])
       parse_selinux_context(name, context)
     end
 
     def retrieve_default_context(property)
+      if @resource[:selinux_ignore_defaults] == :true
+        return nil
+      end
+
       unless context = self.get_selinux_default_context(@resource[:path])
         return nil
       end
+
       property_default = self.parse_selinux_context(property, context)
       self.debug "Found #{property} default '#{property_default}' for #{@resource[:path]}" if not property_default.nil?
       property_default
     end
 
     def insync?(value)
       if not selinux_support?
         debug("SELinux bindings not found. Ignoring parameter.")
         return true
       end
       super
     end
 
     def sync
       self.set_selinux_context(@resource[:path], @should, name)
       :file_changed
     end
   end
 
+  Puppet::Type.type(:file).newparam(:selinux_ignore_defaults) do
+    desc "If this is set then Puppet will not ask SELinux (via matchpathcon) to
+      supply defaults for the SELinux attributes (seluser, selrole,
+      seltype, and selrange). In general, you should leave this set at its
+      default and only set it to true when you need Puppet to not try to fix
+      SELinux labels automatically."
+    newvalues(:true, :false)
+
+    defaultto :false
+  end
+
   Puppet::Type.type(:file).newproperty(:seluser, :parent => Puppet::SELFileContext) do
     desc "What the SELinux user component of the context of the file should be.
       Any valid SELinux user component is accepted.  For example `user_u`.
       If not specified it defaults to the value returned by matchpathcon for
       the file, if any exists.  Only valid on systems with SELinux support
       enabled."
 
     @event = :file_changed
     defaultto { self.retrieve_default_context(:seluser) }
   end
 
   Puppet::Type.type(:file).newproperty(:selrole, :parent => Puppet::SELFileContext) do
     desc "What the SELinux role component of the context of the file should be.
       Any valid SELinux role component is accepted.  For example `role_r`.
       If not specified it defaults to the value returned by matchpathcon for
       the file, if any exists.  Only valid on systems with SELinux support
       enabled."
 
     @event = :file_changed
     defaultto { self.retrieve_default_context(:selrole) }
   end
 
   Puppet::Type.type(:file).newproperty(:seltype, :parent => Puppet::SELFileContext) do
     desc "What the SELinux type component of the context of the file should be.
       Any valid SELinux type component is accepted.  For example `tmp_t`.
       If not specified it defaults to the value returned by matchpathcon for
       the file, if any exists.  Only valid on systems with SELinux support
       enabled."
 
     @event = :file_changed
     defaultto { self.retrieve_default_context(:seltype) }
   end
 
   Puppet::Type.type(:file).newproperty(:selrange, :parent => Puppet::SELFileContext) do
     desc "What the SELinux range component of the context of the file should be.
       Any valid SELinux range component is accepted.  For example `s0` or
       `SystemHigh`.  If not specified it defaults to the value returned by
       matchpathcon for the file, if any exists.  Only valid on systems with
       SELinux support enabled and that have support for MCS (Multi-Category
       Security)."
 
     @event = :file_changed
     defaultto { self.retrieve_default_context(:selrange) }
   end
 
 end
 
diff --git a/spec/unit/type/file/selinux_spec.rb b/spec/unit/type/file/selinux_spec.rb
index 043471dec..a2444acd9 100644
--- a/spec/unit/type/file/selinux_spec.rb
+++ b/spec/unit/type/file/selinux_spec.rb
@@ -1,83 +1,88 @@
 #!/usr/bin/env ruby
 
 Dir.chdir(File.dirname(__FILE__)) { (s = lambda { |f| File.exist?(f) ? require(f) : Dir.chdir("..") { s.call(f) } }).call("spec/spec_helper.rb") }
 
 
 [:seluser, :selrole, :seltype, :selrange].each do |param|
   property = Puppet::Type.type(:file).attrclass(param)
   describe property do
     before do
       @resource = Puppet::Type.type(:file).new :path => "/my/file"
       @sel = property.new :resource => @resource
     end
 
     it "retrieve on #{param} should return :absent if the file isn't statable" do
       @resource.expects(:stat).returns nil
       @sel.retrieve.should == :absent
     end
 
     it "should retrieve nil for #{param} if there is no SELinux support" do
       stat = stub 'stat', :ftype => "foo"
       @resource.expects(:stat).returns stat
       @sel.expects(:get_selinux_current_context).with("/my/file").returns nil
       @sel.retrieve.should be_nil
     end
 
     it "should retrieve #{param} if a SELinux context is found with a range" do
       stat = stub 'stat', :ftype => "foo"
       @resource.expects(:stat).returns stat
       @sel.expects(:get_selinux_current_context).with("/my/file").returns "user_u:role_r:type_t:s0"
       expectedresult = case param
         when :seluser; "user_u"
         when :selrole; "role_r"
         when :seltype; "type_t"
         when :selrange; "s0"
       end
       @sel.retrieve.should == expectedresult
     end
 
     it "should retrieve #{param} if a SELinux context is found without a range" do
       stat = stub 'stat', :ftype => "foo"
       @resource.expects(:stat).returns stat
       @sel.expects(:get_selinux_current_context).with("/my/file").returns "user_u:role_r:type_t"
       expectedresult = case param
         when :seluser; "user_u"
         when :selrole; "role_r"
         when :seltype; "type_t"
         when :selrange; nil
       end
       @sel.retrieve.should == expectedresult
     end
 
     it "should handle no default gracefully" do
       @sel.expects(:get_selinux_default_context).with("/my/file").returns nil
       @sel.default.must be_nil
     end
 
     it "should be able to detect matchpathcon defaults" do
       @sel.stubs(:debug)
       @sel.expects(:get_selinux_default_context).with("/my/file").returns "user_u:role_r:type_t:s0"
       expectedresult = case param
         when :seluser; "user_u"
         when :selrole; "role_r"
         when :seltype; "type_t"
         when :selrange; "s0"
       end
       @sel.default.must == expectedresult
     end
 
+    it "should return nil for defaults if selinux_ignore_defaults is true" do
+      @resource[:selinux_ignore_defaults] = :true
+      @sel.default.must be_nil
+    end
+
     it "should be able to set a new context" do
       stat = stub 'stat', :ftype => "foo"
       @sel.should = %w{newone}
       @sel.expects(:set_selinux_context).with("/my/file", ["newone"], param)
       @sel.sync
     end
 
     it "should do nothing for safe_insync? if no SELinux support" do
       @sel.should = %{newcontext}
       @sel.expects(:selinux_support?).returns false
       @sel.safe_insync?("oldcontext").should == true
     end
   end
 end