When selinux module is imported from a Python script, the content of
__init__.py is compiled into bytecode and the result is saved into a
file if it is allowed. For example, when root runs with Python 3.7 a
script that uses "import selinux" on a system where SELinux is in
permissive mode, this file may be created:
/usr/lib/python3.7/site-packages/selinux/__pycache__/__init__.cpython-37.pyc
Prevent this file from being dynamically created by creating it when
libselinux is installed, using "python -m compileall".
Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
---
libselinux/src/Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 3b8bad810de0..349f957355c1 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -176,6 +176,7 @@ install-pywrap: pywrap
$(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
+ $(PYTHON) -m compileall $(DESTDIR)$(PYTHONLIBDIR)/selinux
install-rubywrap: rubywrap
test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL)
--
2.23.0
