ceph-volume util.system allow skipping restorecon calls

Signed-off-by: Alfredo Deza <adeza@redhat.com>
2024-12-30 15:33:31 +00:00 · 2019-11-05 11:51:16 -05:00 · 2019-11-05 11:51:16 -05:00 · 33c8a64a54
commit 33c8a64a54
parent 626daf4b20
1 changed files with 27 additions and 1 deletions
--- a/src/ceph-volume/ceph_volume/util/system.py
+++ b/src/ceph-volume/ceph_volume/util/system.py
@ -275,7 +275,33 @@ def get_mounts(devices=False, paths=False, realpath=False):
        return paths_mounted


-def set_context(path, recursive = False):
+def set_context(path, recursive=False):
+    """
+    Calls ``restorecon`` to set the proper context on SELinux systems. Only if
+    the ``restorecon`` executable is found anywhere in the path it will get
+    called.
+
+    If the ``CEPH_VOLUME_SKIP_RESTORECON`` environment variable is set to
+    any of: "1", "true", "yes" the call will be skipped as well.
+
+    Finally, if SELinux is not enabled, or not available in the system,
+    ``restorecon`` will not be called. This is checked by calling out to the
+    ``selinuxenabled`` executable. If that tool is not installed or returns
+    a non-zero exit status then no further action is taken and this function
+    will return.
+    """
+    skip = os.environ.get('CEPH_VOLUME_SKIP_RESTORECON', '')
+    if skip.lower() in ['1', 'true', 'yes']:
+        logger.info(
+            'CEPH_VOLUME_SKIP_RESTORECON environ is set, will not call restorecon'
+        )
+        return
+
+    stdout, stderr, code = process.call(['selinuxenabled'], verbose_on_failure=False)
+    if code != 0:
+        logger.info('SELinux is not enabled, will not call restorecon')
+        return
+
    # restore selinux context to default policy values
    if which('restorecon').startswith('/'):
        if recursive: