From b39e7648b6d5361428bafc956a83faed1ce059d8 Mon Sep 17 00:00:00 2001 From: Alfredo Deza Date: Tue, 5 Nov 2019 11:51:16 -0500 Subject: [PATCH] ceph-volume util.system allow skipping restorecon calls Signed-off-by: Alfredo Deza (cherry picked from commit 33c8a64a54d9ea8962091caf8564cea3f603c5f5) --- src/ceph-volume/ceph_volume/util/system.py | 28 +++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/src/ceph-volume/ceph_volume/util/system.py b/src/ceph-volume/ceph_volume/util/system.py index 98f6fc42dd43c..b5c4ce940aed2 100644 --- a/src/ceph-volume/ceph_volume/util/system.py +++ b/src/ceph-volume/ceph_volume/util/system.py @@ -275,7 +275,33 @@ def get_mounts(devices=False, paths=False, realpath=False): return paths_mounted -def set_context(path, recursive = False): +def set_context(path, recursive=False): + """ + Calls ``restorecon`` to set the proper context on SELinux systems. Only if + the ``restorecon`` executable is found anywhere in the path it will get + called. + + If the ``CEPH_VOLUME_SKIP_RESTORECON`` environment variable is set to + any of: "1", "true", "yes" the call will be skipped as well. + + Finally, if SELinux is not enabled, or not available in the system, + ``restorecon`` will not be called. This is checked by calling out to the + ``selinuxenabled`` executable. If that tool is not installed or returns + a non-zero exit status then no further action is taken and this function + will return. + """ + skip = os.environ.get('CEPH_VOLUME_SKIP_RESTORECON', '') + if skip.lower() in ['1', 'true', 'yes']: + logger.info( + 'CEPH_VOLUME_SKIP_RESTORECON environ is set, will not call restorecon' + ) + return + + stdout, stderr, code = process.call(['selinuxenabled'], verbose_on_failure=False) + if code != 0: + logger.info('SELinux is not enabled, will not call restorecon') + return + # restore selinux context to default policy values if which('restorecon').startswith('/'): if recursive: -- 2.39.5