The recent redhat-rpm-config change and you

Peter Jones pjones at
Tue Jun 21 17:20:08 UTC 2005

On Tue, 2005-06-21 at 13:06 +0200, Tomas Mraz wrote:
> > More (much more?) work for little gain, but likely the correct solution
> > would be to configure SELinux policy to recognize a python program
> > trying to write a pyo file and allow that to pass.  (Coupled with %
> > ghosting.)
> No, that wouldn't be secure. The written .pyo file could be arbitrary
> code which if run again for example from a different security context
> could exploit your system even more.

Just to be sure, is this really a problem at all?  We're not shipping
python set up to generate the .pyc and .pyo files by default, AFAIK,
we're merely making rpm run the .pyc's through python -O.

So if you log in as root and run some random python program that has a
bunch of .py's in /usr/lib/python2.4/site-packages/, that shouldn't be
generating .pyc's and .pyo's.

This is _just_ /usr/lib/rpm/brp-redhat running brp-python-bytecompile,
which in turn uses python -O to make .pyc's.  It's not something at

More information about the Fedora-maintainers mailing list