Message 378031 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	ensc2
Recipients	Leif Middelschulte, christian.heimes, ensc2, hynek
Date	2020-10-05.14:28:36
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1601908117.07.0.758872035031.issue38893@roundup.psfhosted.org>
In-reply-to

Content
IMO the SELinux security attributes must not be copied (except when requested explicitly). Doing so will create badly labeled systems else. It would be better to use default transition rules and call optionally selinux_restorecon() then. E.g. when copying selinux.* attributes, after "cp /tmp/foo /bin/" the resulting "/bin/foo" would have a "tmp_t" label (which is wrong). Without copying attributes, it would be labeled as "bin_t" (which is more realistic). When there are SELinux rules for "/bin/foo", it might be relabeled e.g. to "bin_foo_t" by the manual selinux_restorecon(). Ignoring errors silently will make operations very unpredictable.

IMO the SELinux security attributes must not be copied (except when requested explicitly).  Doing so will create badly labeled systems else.  It would be better to use default transition rules and call optionally selinux_restorecon() then.

E.g. when copying selinux.* attributes, after "cp /tmp/foo /bin/" the resulting "/bin/foo" would have a "tmp_t" label (which is wrong).

Without copying attributes, it would be labeled as "bin_t" (which is more realistic).

When there are SELinux rules for "/bin/foo", it might be relabeled e.g. to "bin_foo_t" by the manual selinux_restorecon().


Ignoring errors silently will make operations very unpredictable.

History
Date	User	Action	Args
2020-10-05 14:28:37	ensc2	set	recipients: + ensc2, christian.heimes, hynek, Leif Middelschulte
2020-10-05 14:28:37	ensc2	set	messageid: <1601908117.07.0.758872035031.issue38893@roundup.psfhosted.org>
2020-10-05 14:28:37	ensc2	link	issue38893 messages
2020-10-05 14:28:36	ensc2	create