python package: pyo files
Toshio Kuratomi
toshio at tiki-lounge.com
Wed Aug 9 21:14:37 UTC 2006
On Wed, 2006-08-09 at 16:47 -0400, Jeremy Katz wrote:
> On Wed, 2006-08-09 at 11:16 -0700, Toshio Kuratomi wrote:
> >
> > Unless I'm misremembering the issue, you get AVC denials in the logs due
> > to python's just-in-time byte compilation trying to write out the .pyo
> > file. The program should still run fine.
>
> Sure, but denials (even when things end up working properly) still lead
> people to believe that there's a problem.
>
So why isn't SELinux allowing python to write the file or using a
dontaudit rule to not print an audit message for those denials? SELinux
is supposed to prevent things that are unexpected from happening.
python is expected to attempt to write the .pyo. (The write can still
fail based on file permissions as normal without logging an AVC denial,
right?)
I could be missing something that you'll point out next, but it seems
like we're solving the symptom rather than the issue. Perhaps I'll be
using Fedora as a basis for a file server on a flash DOM. I remove all
the .pyo's manually to save space and enable SELinux to help contain any
security holes. Because I'm a silly goose, I've set
PYTHONOPTIMIZE="yes". Now I've got tons of AVC messages....
I know just enough SELinux to be dangerous, so feel free to educate me.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20060809/6f21bbb7/attachment.sig>
More information about the fedora-extras-list
mailing list