On Wed, 2006-08-09 at 14:14 -0700, Toshio Kuratomi wrote: > On Wed, 2006-08-09 at 16:47 -0400, Jeremy Katz wrote: > > On Wed, 2006-08-09 at 11:16 -0700, Toshio Kuratomi wrote: > > > > > > Unless I'm misremembering the issue, you get AVC denials in the logs due > > > to python's just-in-time byte compilation trying to write out the .pyo > > > file. The program should still run fine. > > > > Sure, but denials (even when things end up working properly) still lead > > people to believe that there's a problem. > > > So why isn't SELinux allowing python to write the file or using a > dontaudit rule to not print an audit message for those denials? SELinux > is supposed to prevent things that are unexpected from happening. > python is expected to attempt to write the .pyo. (The write can still > fail based on file permissions as normal without logging an AVC denial, > right?) Well, allowing normal users to write to /usr seems like a bad idea would be first on my list of "why not allow it" ;-) As for having a dontaudit rule, it's difficult as you can be talking about *anything* written in python here. eg, think about having foo.py in your homedir and just running it -- it's not going to have any special context to be able to dontaudit writes to user. And in general, if an application is trying to do that, we _do_ want to know so that it can be fixed, so it's not practical to dontaudit all attempts to write to /usr. Jeremy -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
