Message 364011 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	Leif Middelschulte, christian.heimes
Date	2020-03-12.11:45:19
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1584013519.4.0.0410198649586.issue38893@roundup.psfhosted.org>
In-reply-to

Content
No, CPython's stdlib doesn't use libselinux. I talked to an engineer from Red Hat's SELinux team today. SELinux returns EACCES for policy violations like in this case. The _copyxattr() helper function ignores EPERM but not EACCES. You are seeing a PermissionError exception because Python maps both EPERM and EACCES to PermissionError. As first fix the _copyxattr() helper could ignore all permission errors for "security.*" namespace and just continue. This will get rid of the error but may still cause lots of AVC audit events. A better but backwards incompatible approach is to handle the xattr namespaces differently. Linux defines four xattr namespaces: security, system, trusted, and user. The security namespace is used by security policies like Smack or SELinux. IMHO _copyxattr() should only copy user xattrs by default. The security namespace should only be copied when the caller opts-in. The cp tool has separate preserve settings for context (SELinux security context) and xattr (other extended attributes).

No, CPython's stdlib doesn't use libselinux.

I talked to an engineer from Red Hat's SELinux team today. SELinux returns EACCES for policy violations like in this case. The _copyxattr() helper function ignores EPERM but not EACCES. You are seeing a PermissionError exception because Python maps both EPERM and EACCES to PermissionError.

As first fix the _copyxattr() helper could ignore all permission errors for "security.*" namespace and just continue. This will get rid of the error but may still cause lots of AVC audit events.

A better but backwards incompatible approach is to handle the xattr namespaces differently. Linux defines four xattr namespaces: security, system, trusted, and user. The security namespace is used by security policies like Smack or SELinux. IMHO _copyxattr() should only copy user xattrs by default. The security namespace should only be copied when the caller opts-in. The cp tool has separate preserve settings for context (SELinux security context) and xattr (other extended attributes).

History
Date	User	Action	Args
2020-03-12 11:45:19	christian.heimes	set	recipients: + christian.heimes, Leif Middelschulte
2020-03-12 11:45:19	christian.heimes	set	messageid: <1584013519.4.0.0410198649586.issue38893@roundup.psfhosted.org>
2020-03-12 11:45:19	christian.heimes	link	issue38893 messages
2020-03-12 11:45:19	christian.heimes	create