On Wed, 2006-08-09 at 16:47 -0400, Jeremy Katz wrote: > On Wed, 2006-08-09 at 11:16 -0700, Toshio Kuratomi wrote: > > > > Unless I'm misremembering the issue, you get AVC denials in the logs due > > to python's just-in-time byte compilation trying to write out the .pyo > > file. The program should still run fine. > > Sure, but denials (even when things end up working properly) still lead > people to believe that there's a problem. > So why isn't SELinux allowing python to write the file or using a dontaudit rule to not print an audit message for those denials? SELinux is supposed to prevent things that are unexpected from happening. python is expected to attempt to write the .pyo. (The write can still fail based on file permissions as normal without logging an AVC denial, right?) I could be missing something that you'll point out next, but it seems like we're solving the symptom rather than the issue. Perhaps I'll be using Fedora as a basis for a file server on a flash DOM. I remove all the .pyo's manually to save space and enable SELinux to help contain any security holes. Because I'm a silly goose, I've set PYTHONOPTIMIZE="yes". Now I've got tons of AVC messages.... I know just enough SELinux to be dangerous, so feel free to educate me. -Toshio
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
