On Tue, 2005-06-21 at 13:20 -0400, Peter Jones wrote: > On Tue, 2005-06-21 at 13:06 +0200, Tomas Mraz wrote: > > > More (much more?) work for little gain, but likely the correct solution > > > would be to configure SELinux policy to recognize a python program > > > trying to write a pyo file and allow that to pass. (Coupled with % > > > ghosting.) > > > > No, that wouldn't be secure. The written .pyo file could be arbitrary > > code which if run again for example from a different security context > > could exploit your system even more. > > Just to be sure, is this really a problem at all? We're not shipping > python set up to generate the .pyc and .pyo files by default, AFAIK, > we're merely making rpm run the .pyc's through python -O. > > So if you log in as root and run some random python program that has a > bunch of .py's in /usr/lib/python2.4/site-packages/, that shouldn't be > generating .pyc's and .pyo's. > Python does generate .pyc's by default. If certain environment variables are set then it generates pyo's instead This is why pyc's and pyo's must either be included in the package or %ghost'd. > This is _just_ /usr/lib/rpm/brp-redhat running brp-python-bytecompile, > which in turn uses python -O to make .pyc's. It's not something at > runtime. The announcement is about the use of brp-python-bytecompile which makes both pyc's and pyo's in the package build step. This is good as it saves some spec file work to get right. These are then listed in the % files section. However, the pyos can either be listed as regular files there or as %ghost files. Shahms asked whether we should continue to %ghost and Nalin replied with a bug report which shows "failures" when pyc's and pyo's are not present. It looks like the "failure" is actually a SELinux log message warning that python is trying to write out the pyc/pyo file if it doesn't already exist. -Toshio
Attachment:
signature.asc
Description: This is a digitally signed message part
