[Distutils] [issue72] easy_install violates SELinux policies

Jonathan Cervidae setuptools at bugs.python.org
Tue May 26 23:06:37 CEST 2009 

New submission from Jonathan Cervidae <jonathan.cervidae at gmail.com>:

I get AVC's aftef installing egg's with easy_install. The AVS are that the
files are mislabeled as:

unconfined_u:object_r:user_tmp_t:s0

When I we want them to be:

system_u:object_r:lib_t:s0

It stops python from accessing the files. I haven't looked at the source
code, but those contexts suggest that easy_install is downloading the egg
file to a temp directory then moving (not copying) it from the temp dir to
/usr/lib/python<VERSION>/site-packages.

This is clearly a good thing as unnecessary copying should be avoid and
it's easy to fix too.

I notice there is a python module called selinux installed on my system. So
you need to try and import that. If you succeed you can try and restore the
context after moving it to the new location and just ignore any error on that too.

----------
files: fix.txt
messages: 292
nosy: jcervidae
priority: bug
status: unread
title: easy_install violates SELinux policies
Added file: http://bugs.python.org/setuptools/file53/fix.txt

_______________________________________________
Setuptools tracker <setuptools at bugs.python.org>
<http://bugs.python.org/setuptools/issue72>
_______________________________________________
-------------- next part --------------
[root at jaydee tmp]# python
Python 2.5.2 (r252:60911, Sep 30 2008, 15:41:38)
[GCC 4.3.2 20080917 (Red Hat 4.3.2-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import os, tempfile, shutil, subprocess
>>> import selinux # try/except block around this to see if the issue will happen
>>> temp_fd, a_temp_file = tempfile.mkstemp()
>>> shutil.move(a_temp_file,'/usr/lib/python2.5/site-packages/broken.egg')
>>> # Don't know how to do this in Python
... subprocess.call(("restorecon", "-nv", "/usr/lib/python2.5/site-packages/broken.egg"))
restorecon reset /usr/lib/python2.5/site-packages/broken.egg context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:lib_t:s0
0
>>> # But I do know how to fix them in python
... selinux.restorecon("/usr/lib/python2.5/site-packages/broken.egg")
>>> # No more output because the context is now correct
... subprocess.call(("restorecon", "-nv", "/usr/lib/python2.5/site-packages/broken.egg"))
0
>>> # Calling it if context was already correct because user had an insane selinux policy does no harm either
... selinux.restorecon("/usr/lib/python2.5/site-packages/broken.egg")
>>> os.close(temp_fd)
>>> os.remove("/usr/lib/python2.5/site-packages/broken.egg")
>>> quit()

More information about the Distutils-SIG mailing list