Re: python package: pyo files

[Jeremy Katz <katzj redhat com>]

On Wed, 2006-08-09 at 14:14 -0700, Toshio Kuratomi wrote:
> On Wed, 2006-08-09 at 16:47 -0400, Jeremy Katz wrote:
> > On Wed, 2006-08-09 at 11:16 -0700, Toshio Kuratomi wrote:
> > > 
> > > Unless I'm misremembering the issue, you get AVC denials in the logs due
> > > to python's just-in-time byte compilation trying to write out the .pyo
> > > file. The program should still run fine.
> > 
> > Sure, but denials (even when things end up working properly) still lead
> > people to believe that there's a problem.  
> > 
> So why isn't SELinux allowing python to write the file or using a
> dontaudit rule to not print an audit message for those denials?  SELinux
> is supposed to prevent things that are unexpected from happening.
> python is expected to attempt to write the .pyo.  (The write can still
> fail based on file permissions as normal without logging an AVC denial,
> right?)

Well, allowing normal users to write to /usr seems like a bad idea would
be first on my list of "why not allow it" ;-)  

As for having a dontaudit rule, it's difficult as you can be talking
about *anything* written in python here.  eg, think about having foo.py
in your homedir and just running it -- it's not going to have any
special context to be able to dontaudit writes to user.  

And in general, if an application is trying to do that, we _do_ want to
know so that it can be fixed, so it's not practical to dontaudit all
attempts to write to /usr.

Jeremy