Bug 1719978

Thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.

Unfortunately we were not able to address the problem in development phase, therefore we postpone it to next minor product update. If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution.

Ok Vit, I've opened case 02409561.  Considering that the entire python3 stack is new for 7.7, I'm hoping this can be resolved at the same time and won't be delayed until 7.8.

Note that only the Python 3 interpreter, and some basic libraries, were added to RHEL 7. Not the entire stack.

As far as I know, requests for individual libraries are treated as any other request to add and support some software not yet in RHEL.

Note that this bugzilla is now private (due to being assigned to the distribution component) and the original reporter most likely lost access to it.

*** Bug 1751163 has been marked as a duplicate of this bug. ***

Refusal to include libselinux is almost as good as making python3 unusable for any practical means. (Example: Ansible will not work without it).

Not sure if this was by-design decision but a direct side-effect of it is that currently there is no usable python3 on current centos release and it will not be due to https://bugs.centos.org/view.php?id=16389

There is no release date for CentOS8 and Python 2.7 final day is 2020-01-01, less than 3 months away.

I do see the real danger that we will end-up without having any supported python version available on CentOS in general.

We did advertise python36 as helping developers port their code/products, but apparently what we gave is a broken stick.

The implications are really serious regarding testing because on OpenStack we have unittest and functional tests that do need to be tested with multiple versions of python (if selinux is missing some of them will fail, all of those using ansible).

Lucky for OpenStack upstream, their preferred test platform is Ubuntu, which is not subject to the selinux issue (cannot blame them for having that preference).

So we should wonder if we fail to deliver changes in time when we are not given the basic building blocks.

> Refusal to include libselinux is almost as good as making python3 unusable for any practical means. (Example: Ansible will not work without it).

I don't think that ansible is the only use case of python, so I don't agree with "unusable for any practical means". Yet I agree completely that the missing modules, such as python3-selinux, make the entire thing less useful and I was always arguing to include them. However I've been told that it's too late to do it (note that I don't understand processes around RHEL much, but AFAIK 7.7 is shipped and 7.8 is beyond new features).

> Not sure if this was by-design decision 

It was designed that we will add python3 interpreter.

See comment #7:
> Note that only the Python 3 interpreter, and some basic libraries, were
> added to RHEL 7. Not the entire stack.
> 
> As far as I know, requests for individual libraries are treated as any other
> request to add and support some software not yet in RHEL.

Can we make this bug public again?  It's being discusses elsewhere on the internet (https://bugs.centos.org/view.php?id=16389) and it would be beneficial to be able to link this bug, if nothing else to show that Red Hat has declined to address it.

(In reply to Carl George from comment #15)
> Can we make this bug public again?  It's being discusses elsewhere on the
> internet (https://bugs.centos.org/view.php?id=16389) and it would be
> beneficial to be able to link this bug, if nothing else to show that Red Hat
> has declined to address it.

Trying to re-open it again, not sure whether the bot will hide it again, because the request is on distribution bug, we'll see.

As written above, the intention was to ship the minimal stack (to be able to do it all) and I totally understand that many binary extensions are missing now.

Considering the status of RHEL-7, which just entered Maintenance Support 1 phase according to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.7_release_notes/index, inclusion of many new packages will likely not happen, so I'd rather take a look at specific cases and how we can solve them.

One obvious answer might be -- there is always possibility to build the missing packages yourself. Not having them available and supported in the RHEL itself should not block anybody to do it. But I guess this is not really helping much.

Would inclusion in EPEL be an option for example? (trying to brainstorm a bit..)

It's possible, but not easy.  One can take a RHEL spec file (libselinux.spec for example), change the name (EPEL builds can't have a name conflict with RHEL, even on the SRPM name), and remove all sections of the spec that don't affect the Python extension they want.  That's much more difficult when the Python extension is created via makefile, like libselinux is.  Another approach would be to keep the same build steps as RHEL, then manually delete the files that would conflict with a RHEL package.  Again, doable, but difficult and error prone.  Enabling the python3 subpackage is really the right answer, and it's a shame that Red Hat isn't interested in that approach.  Doing that in any capacity (no support, extras, tech preview, whatever) would really help customers in their EL8/PY3 porting efforts.

And yes, I said customer.  Despite the misconception in bug 1639030 that this wasn't a customer request, Rackspace has case 02409561 open specifically requesting libselinux-python3.  I'm sorry I didn't open that support case sooner during the process to help y'all get this done.

How was this overlooked?

Like someone mentioned earlier, Python 3 is essentially useless without this.

We are building CI pipelines leveraging Molecule, Ansible, Helm, and Docker which all depend on libselinux. This means we can't build runners with RHEL 7, or 8 until this is resolved.

FYI for those interested in this, I figured out a stand alone spec file and submitted it for review in bug 1754039.  If anyone has the time to do the package review I'd appreciate it.

As a side note:

If the package is named libselinux-python3, please provide python3-libselinux = %{version}-%{release} and python3-libselinux%{?_isa} = %{version}-%{release} for compatibility with RHEL 8 and Fedora.
If the package is named python3-libselinux, please provide libselinux-python3 = %{version}-%{release} and libselinux-python3%{?_isa} = %{version}-%{release} for compatibility with the Python 2 package.

As we managed to get acknowledgements from PM, devel, and QE, we are initiating the process to include the libselinux-python3 subpackage into RHEL 7.

I see that this bug was cloned as bug 1756015.  Should we close this one now?

Carl,

Please do not close any bug as both of them are needed for the process to continue.

Like just-in-time compilers for JAVA, Python3 includes some neat features like the ability to one-time compile python3 scripts (eg. "file.py") which are saved to "./__pycache__/file.pyc" but this only works from lesser-priv accounts, like Apache, when SELinux is shifted into permissive mode.

Other distros have already got this working:
https://rpmfind.net/linux/rpm2html/search.php?query=*selinux*python3*&submit=Search

I am surprised that there has been no movement on this problem in the past 14-days. According to the developers of Python, Python2 will become obsolete starting in 2020 which means that Python3 will be the only game in town. On all our systems we have put SELinux into permissive mode in order to save ~ 20mS for every web transaction. Needless to say that this has made management very nervous. We need to be able to tell SELinux that it is alright to write a compiled version of any python3 script into subdirectory "__pycache__"

We do have now 2020 and still now rpm for RHEL7 in sight. Any chance to raise the priority on this regard?

This appears to be resolved in libselinux-2.5-15, which Red Hat has pushed to the c7-beta branch in git.centos.org.

https://git.centos.org/rpms/libselinux/blob/c7-beta/f/SPECS/libselinux.spec#_259

re: comment 33
Clicking on that link takes me to an entry dated: Sep 26 2019. Has there been no movement on this in 4 months? Did libselinux-python3 get lost somewhere along the way?

It was built, tested (see bz1756015 - it has status VERIFIED) and delivered as part of RHEL 7.8 Beta - https://access.redhat.com/downloads/content/rhel---7/x86_64/2484/libselinux-python3/2.5-15.el7/x86_64/fd431d51/package

*** This bug has been marked as a duplicate of bug 1756015 ***

re:  comment 35

RHEL-7.8 eh? Am I correct in assuming that this package be back-ported to CentOS-7.7 or will it only be made available in CentOS-8 ?

Given that the spec file change is already in c7-beta branch, it would eventually land in CentOS 7.8. I don't know if there any plans to backport it to 7.7, your guess is as good as mine.

CentOS 8 has python3-libselinux already:

[root@server-centos8 /]# dnf info python3-libselinux 
Last metadata expiration check: 0:00:09 ago on Wed 05 Feb 2020 02:09:48 PM UTC.
Available Packages
Name         : python3-libselinux
Version      : 2.9
Release      : 2.1.el8
Architecture : x86_64
Size         : 283 k
Source       : libselinux-2.9-2.1.el8.src.rpm
Repository   : BaseOS
Summary      : SELinux python 3 bindings for libselinux
URL          : https://github.com/SELinuxProject/selinux/wiki
License      : Public Domain
Description  : The libselinux-python3 package contains python 3 bindings for developing
             : SELinux applications.