python package: pyo files
Jeremy Katz
katzj at redhat.com
Wed Aug 9 21:23:52 UTC 2006
On Wed, 2006-08-09 at 14:14 -0700, Toshio Kuratomi wrote:
> On Wed, 2006-08-09 at 16:47 -0400, Jeremy Katz wrote:
> > On Wed, 2006-08-09 at 11:16 -0700, Toshio Kuratomi wrote:
> > >
> > > Unless I'm misremembering the issue, you get AVC denials in the logs due
> > > to python's just-in-time byte compilation trying to write out the .pyo
> > > file. The program should still run fine.
> >
> > Sure, but denials (even when things end up working properly) still lead
> > people to believe that there's a problem.
> >
> So why isn't SELinux allowing python to write the file or using a
> dontaudit rule to not print an audit message for those denials? SELinux
> is supposed to prevent things that are unexpected from happening.
> python is expected to attempt to write the .pyo. (The write can still
> fail based on file permissions as normal without logging an AVC denial,
> right?)
Well, allowing normal users to write to /usr seems like a bad idea would
be first on my list of "why not allow it" ;-)
As for having a dontaudit rule, it's difficult as you can be talking
about *anything* written in python here. eg, think about having foo.py
in your homedir and just running it -- it's not going to have any
special context to be able to dontaudit writes to user.
And in general, if an application is trying to do that, we _do_ want to
know so that it can be fixed, so it's not practical to dontaudit all
attempts to write to /usr.
Jeremy
More information about the fedora-extras-list
mailing list