From: Alfredo Deza Date: Tue, 5 Nov 2019 16:51:16 +0000 (-0500) Subject: ceph-volume util.system allow skipping restorecon calls X-Git-Tag: v14.2.5~115^2~1 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=9befc77b87e004f50be0e9e9ab884623c770dca0;p=ceph.git ceph-volume util.system allow skipping restorecon calls Signed-off-by: Alfredo Deza (cherry picked from commit 33c8a64a54d9ea8962091caf8564cea3f603c5f5) --- diff --git a/src/ceph-volume/ceph_volume/util/system.py b/src/ceph-volume/ceph_volume/util/system.py index 98f6fc42dd43c..b5c4ce940aed2 100644 --- a/src/ceph-volume/ceph_volume/util/system.py +++ b/src/ceph-volume/ceph_volume/util/system.py @@ -275,7 +275,33 @@ def get_mounts(devices=False, paths=False, realpath=False): return paths_mounted -def set_context(path, recursive = False): +def set_context(path, recursive=False): + """ + Calls ``restorecon`` to set the proper context on SELinux systems. Only if + the ``restorecon`` executable is found anywhere in the path it will get + called. + + If the ``CEPH_VOLUME_SKIP_RESTORECON`` environment variable is set to + any of: "1", "true", "yes" the call will be skipped as well. + + Finally, if SELinux is not enabled, or not available in the system, + ``restorecon`` will not be called. This is checked by calling out to the + ``selinuxenabled`` executable. If that tool is not installed or returns + a non-zero exit status then no further action is taken and this function + will return. + """ + skip = os.environ.get('CEPH_VOLUME_SKIP_RESTORECON', '') + if skip.lower() in ['1', 'true', 'yes']: + logger.info( + 'CEPH_VOLUME_SKIP_RESTORECON environ is set, will not call restorecon' + ) + return + + stdout, stderr, code = process.call(['selinuxenabled'], verbose_on_failure=False) + if code != 0: + logger.info('SELinux is not enabled, will not call restorecon') + return + # restore selinux context to default policy values if which('restorecon').startswith('/'): if recursive: