The recent redhat-rpm-config change and you

Toshio Kuratomi toshio at tiki-lounge.com
Mon Jun 20 23:38:25 UTC 2005 

On Mon, 2005-06-20 at 13:44 -0400, Nalin Dahyabhai wrote:
> On Sat, Jun 18, 2005 at 01:00:06AM -0400, Toshio Kuratomi wrote:
> > On Fri, 2005-06-17 at 17:05 -0400, Nalin Dahyabhai wrote:
> > > [1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129025
> > 
> > What's a simple test case for this?  I don't have a USB printer but I
> > tried /usr ro on boot with no .pyo files.  This does not cause cups to
> > crash....  Starting other programs which have no .pyo files with
> > PYTHON_OPTIMIZE set also causes no problems.  Is the bug really only
> > about SELinux and not a ro partition?  Does this only happen with cups
> > and USB printers?
> > 
> > Being an anti-pyo person, I'd like to understand this problem so I can
> > be converted :-)
> 
> I can't speak to the specifics of cups and printing, but the problem
> cases in which I'm interested are:
> * Install a package with .py scripts.  Use parts of the package as a
>   user who can write to the files, and you generate .pyc files.  These
>   new files are not owned by any package, and RPM does not remove them
>   if you remove the package.
> * If you can't write to them, and you were denied access by SELinux
>   permission checks (for example, you *were* root, but you were running
>   the script in an execution domain which wouldn't be allowed write
>   access), then you get a log message, either in syslog or in the audit
>   log.  This leads to at least 40 unnecessary panic attacks, resulting
>   in no less than four separate posts to fedora-test-list within the
>   same day, which increases incoming traffic enough to finally kill the
>   mailing list servers.  Please, think of the mailing list servers.
>   Seriously, though, it's preventable.
> 
> The usefulness of .pyo files over .pyc files is marginal [1], but if
> we're trying to avoid problems which crop up when a script only gets
> byte-compiled on an installed system, I think we have to account for
> them as well.
> 
If I read this right, 1) is also solved by ghosting pyo files.  2) is
the tradeoff -- either we have the nearly useless pyo's taking up space
on the filesystem or we get SELinux messages giving false alarms.

More (much more?) work for little gain, but likely the correct solution
would be to configure SELinux policy to recognize a python program
trying to write a pyo file and allow that to pass.  (Coupled with %
ghosting.)

Now that I have a new laptop with a decent sized hard drive I suppose
I'll just have to let go of my .pyo disgruntlement :-)

-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-maintainers/attachments/20050620/d77d3c1f/attachment.sig>

More information about the Fedora-maintainers mailing list