[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: python package: pyo files



On Wed, 2006-08-09 at 16:47 -0400, Jeremy Katz wrote:
> On Wed, 2006-08-09 at 11:16 -0700, Toshio Kuratomi wrote:
> > 
> > Unless I'm misremembering the issue, you get AVC denials in the logs due
> > to python's just-in-time byte compilation trying to write out the .pyo
> > file. The program should still run fine.
> 
> Sure, but denials (even when things end up working properly) still lead
> people to believe that there's a problem.  
> 
So why isn't SELinux allowing python to write the file or using a
dontaudit rule to not print an audit message for those denials?  SELinux
is supposed to prevent things that are unexpected from happening.
python is expected to attempt to write the .pyo.  (The write can still
fail based on file permissions as normal without logging an AVC denial,
right?)

I could be missing something that you'll point out next, but it seems
like we're solving the symptom rather than the issue.  Perhaps I'll be
using Fedora as a basis for a file server on a flash DOM.  I remove all
the .pyo's manually to save space and enable SELinux to help contain any
security holes.  Because I'm a silly goose, I've set
PYTHONOPTIMIZE="yes".  Now I've got tons of AVC messages....

I know just enough SELinux to be dangerous, so feel free to educate me.

-Toshio

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]