[issue38893] broken container/selinux integration
Enrico Scholz
report at bugs.python.org
Mon Oct 5 10:28:37 EDT 2020
Enrico Scholz <github at ensc.de> added the comment:
IMO the SELinux security attributes must not be copied (except when requested explicitly). Doing so will create badly labeled systems else. It would be better to use default transition rules and call optionally selinux_restorecon() then.
E.g. when copying selinux.* attributes, after "cp /tmp/foo /bin/" the resulting "/bin/foo" would have a "tmp_t" label (which is wrong).
Without copying attributes, it would be labeled as "bin_t" (which is more realistic).
When there are SELinux rules for "/bin/foo", it might be relabeled e.g. to "bin_foo_t" by the manual selinux_restorecon().
Ignoring errors silently will make operations very unpredictable.
----------
nosy: +ensc2
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue38893>
_______________________________________
More information about the Python-bugs-list
mailing list