Message364011
No, CPython's stdlib doesn't use libselinux.
I talked to an engineer from Red Hat's SELinux team today. SELinux returns EACCES for policy violations like in this case. The _copyxattr() helper function ignores EPERM but not EACCES. You are seeing a PermissionError exception because Python maps both EPERM and EACCES to PermissionError.
As first fix the _copyxattr() helper could ignore all permission errors for "security.*" namespace and just continue. This will get rid of the error but may still cause lots of AVC audit events.
A better but backwards incompatible approach is to handle the xattr namespaces differently. Linux defines four xattr namespaces: security, system, trusted, and user. The security namespace is used by security policies like Smack or SELinux. IMHO _copyxattr() should only copy user xattrs by default. The security namespace should only be copied when the caller opts-in. The cp tool has separate preserve settings for context (SELinux security context) and xattr (other extended attributes). |
|
Date |
User |
Action |
Args |
2020-03-12 11:45:19 | christian.heimes | set | recipients:
+ christian.heimes, Leif Middelschulte |
2020-03-12 11:45:19 | christian.heimes | set | messageid: <1584013519.4.0.0410198649586.issue38893@roundup.psfhosted.org> |
2020-03-12 11:45:19 | christian.heimes | link | issue38893 messages |
2020-03-12 11:45:19 | christian.heimes | create | |
|