RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1363835 - Changes in /etc/mm_cfg.py trigger .pyc/.pyo rebuillds under /usr
Summary: Changes in /etc/mm_cfg.py trigger .pyc/.pyo rebuillds under /usr
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: mailman
Version: 6.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Pavel Šimerda (pavlix)
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks: 1356054 1373253
TreeView+ depends on / blocked
 
Reported: 2016-08-03 17:09 UTC by Alois Mahdal
Modified: 2017-03-21 12:04 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-21 12:04:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 905164 0 unspecified CLOSED Symlink /etc/mailman/mm_cfg.py -> /usr/lib/mailman/Mailman/mm_cfg.py should be the other way round 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2017:0800 0 normal SHIPPED_LIVE mailman bug fix update 2017-03-21 12:52:03 UTC

Internal Links: 905164

Description Alois Mahdal 2016-08-03 17:09:24 UTC 
Description of problem
======================

Currently, mm_cfg.py is deployed as file under /usr, and a symlink is
added into /etc.

This brings several problems:

 *  it's against best practice: /etc should contain host-specific config.

 *  Consequently, when one edits the file, next read (on service start)
    triggers .pyc re-build, but this happens under /usr.  That causes
    AVC -- SELinux policy correctly does not expect services to re-build
    .pyc in /usr.

 *  This could be prevented by requiring user to re-build .pyc manually
    after every change, which is cumbersome to say the least.


Version-Release number of selected component
============================================

mailman-2.1.12-22.el6.x86_64


Additional info
===============

We had brief discussion with pavlix; following solutions were mentioned:

 *  deploy mm_cfg.py to /etc and add symlink under /usr,

 *  deploy two files and have mailman load both, overriding values
    in /usr by values defined in /etc

(Question is, if placing the .py file under /usr really dodges the
problem with AVC, but even if it would require touching selinux-policy,
/etc seems more likely than /usr.)

It would be good idea to ask upstream have a solution, and/or ask SELinux
people if there's another component with similar problem.
Comment 2 Pavel Šimerda (pavlix) 2016-08-04 12:11:14 UTC 
(In reply to Alois Mahdal from comment #0)
> We had brief discussion with pavlix; following solutions were mentioned:
> 
>  *  deploy mm_cfg.py to /etc and add symlink under /usr,

...

> (Question is, if placing the .py file under /usr really dodges the
> problem with AVC, but even if it would require touching selinux-policy,
> /etc seems more likely than /usr.)

Python indeed attempts to compile the symlink as if it was a regular file. Therefore this solution doesn't work. Alternative solutions are available.

 * Set 'sys.path' in mailman to also include '/etc/mailman' so '/etc/mailman/mm_cfg.py' can be imported easily. That might still require selinux-policy for /etc/mailman.

 * Import or execute the file in a way that suppresses the compilation (moving the file to '/etc/mailman' at the same time).
Comment 3 Pavel Šimerda (pavlix) 2016-08-04 12:19:54 UTC 
It looks like this has been already addressed in Fedora:

http://pkgs.fedoraproject.org/cgit/mailman.git/commit
/?id=53237a5009c8eda1522974097236ce154a4b59c9
Comment 4 Pavel Šimerda (pavlix) 2016-08-04 12:39:33 UTC 
There's also a hack suggested by Mark Sapiro that might or might not work:

https://mail.python.org/pipermail/mailman-users/2009-April/065633.html
Comment 10 Alois Mahdal 2017-01-27 03:49:10 UTC 
OK, given that we don't know how to reproduce the issue (I used to see this one time during manual testing; unfortunately I was not able to find out how to hit it), I will only do sanity testing.

I reviewed the patch and it seems OK.  Test suite passes.
Comment 12 errata-xmlrpc 2017-03-21 12:04:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0800.html
Note You need to log in before you can comment on or make changes to this bug.