Bug 2207684

Summary: Don't add user site directory to sys.path
Product: [Fedora] Fedora Reporter: Doncho Gunchev <dgunchev>
Component: bluemanAssignee: Artur Frenszek-Iwicki <fedora>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 37CC: fedora, fedora
Target Milestone: ---Keywords: Desktop
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: blueman-2.3.5-3.fc38 blueman-2.3.5-2.fc37 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-17 01:22:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Doncho Gunchev 2023-05-16 14:05:23 UTC 
If the someone installs packages in his user site directory then Blueman may start using one of these instead of the system package. This can create problems with compatibility and SELinux ( https://bugzilla.redhat.com/show_bug.cgi?id=2179800 ).

To get rid of the SELinux messages I had to modify


$ rpm -ql blueman | grep '/usr/\(bin\|libexec\)/'
/usr/bin/blueman-adapters
/usr/bin/blueman-applet
/usr/bin/blueman-manager
/usr/bin/blueman-sendto
/usr/bin/blueman-services
/usr/bin/blueman-tray
/usr/libexec/blueman-mechanism
/usr/libexec/blueman-rfcomm-watcher

and add at least '-s'. Tuned uses similar approach:

$ head -n 1 /usr/sbin/tuned
#!/usr/libexec/platform-python -Es



Reproducible: Always

Steps to Reproduce:
1. Install Blueman
2. Login and try using it

Actual Results:  
SELinux error message from the SELinux Troubleshooter.

Expected Results:  
No SELinux errors and no python user site files being accessed.
Comment 1 Artur Frenszek-Iwicki 2023-05-16 21:30:59 UTC 
Ok, so it seems this can be fixed quite easily by running %py3_shebang_fix on the installed files.
This tool defaults to adding "-sP", but it's easy enough to change that to "-sPE".

Any downside to having all three of those, or should I just go ahead?
Comment 2 Doncho Gunchev 2023-06-07 08:57:35 UTC 
IDK, "-sPE" sounds even better to me. IMHO if the user wants to run the app with custom libraries it would be logical to also run custom main app, not use the system-wide one.
Comment 3 Fedora Update System 2023-06-08 10:02:27 UTC 
FEDORA-2023-6f71ab0049 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-6f71ab0049
Comment 4 Fedora Update System 2023-06-08 10:37:30 UTC 
FEDORA-2023-1e7501bfa3 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-1e7501bfa3
Comment 5 Fedora Update System 2023-06-09 01:39:47 UTC 
FEDORA-2023-6f71ab0049 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-6f71ab0049`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-6f71ab0049

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2023-06-09 03:01:43 UTC 
FEDORA-2023-1e7501bfa3 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-1e7501bfa3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-1e7501bfa3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2023-06-17 01:22:29 UTC 
FEDORA-2023-6f71ab0049 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Fedora Update System 2023-06-17 02:07:26 UTC 
FEDORA-2023-1e7501bfa3 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.