The recent redhat-rpm-config change and you
Toshio Kuratomi
toshio at tiki-lounge.com
Tue Jun 21 18:32:16 UTC 2005
On Tue, 2005-06-21 at 13:20 -0400, Peter Jones wrote:
> On Tue, 2005-06-21 at 13:06 +0200, Tomas Mraz wrote:
> > > More (much more?) work for little gain, but likely the correct solution
> > > would be to configure SELinux policy to recognize a python program
> > > trying to write a pyo file and allow that to pass. (Coupled with %
> > > ghosting.)
> >
> > No, that wouldn't be secure. The written .pyo file could be arbitrary
> > code which if run again for example from a different security context
> > could exploit your system even more.
>
> Just to be sure, is this really a problem at all? We're not shipping
> python set up to generate the .pyc and .pyo files by default, AFAIK,
> we're merely making rpm run the .pyc's through python -O.
>
> So if you log in as root and run some random python program that has a
> bunch of .py's in /usr/lib/python2.4/site-packages/, that shouldn't be
> generating .pyc's and .pyo's.
>
Python does generate .pyc's by default. If certain environment
variables are set then it generates pyo's instead
This is why pyc's and pyo's must either be included in the package or
%ghost'd.
> This is _just_ /usr/lib/rpm/brp-redhat running brp-python-bytecompile,
> which in turn uses python -O to make .pyc's. It's not something at
> runtime.
The announcement is about the use of brp-python-bytecompile which makes
both pyc's and pyo's in the package build step. This is good as it
saves some spec file work to get right. These are then listed in the %
files section.
However, the pyos can either be listed as regular files there or as
%ghost files. Shahms asked whether we should continue to %ghost and
Nalin replied with a bug report which shows "failures" when pyc's and
pyo's are not present. It looks like the "failure" is actually a
SELinux log message warning that python is trying to write out the
pyc/pyo file if it doesn't already exist.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-maintainers/attachments/20050621/ce3f1b53/attachment.sig>
More information about the Fedora-maintainers
mailing list