Description of problem: SELinux is preventing python3 from 'write' accesses on the directory __pycache__. ***** Plugin catchall (100. confidence) suggests ************************** If você acredita que o python3 deva ser permitido acesso de write em __pycache__ directory por default. Then você deve informar que este é um erro. Você pode gerar um módulo de política local para permitir este acesso. Do allow this access for now by executing: # ausearch -c 'python3' --raw | audit2allow -M my-python3 # semodule -X 300 -i my-python3.pp Additional Information: Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023 Target Context system_u:object_r:lib_t:s0 Target Objects __pycache__ [ dir ] Source python3 Source Path python3 Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-225.6.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.9.7-201.fc25.x86_64 #1 SMP Thu Feb 2 23:32:42 UTC 2017 x86_64 x86_64 Alert Count 55 First Seen 2017-02-05 00:06:48 BRST Last Seen 2017-02-05 00:06:49 BRST Local ID 84074be3-b250-4b2f-a54a-c7b7ab1f4cf6 Raw Audit Messages type=AVC msg=audit(1486260409.5:395): avc: denied { write } for pid=2614 comm="blueman-mechani" name="__pycache__" dev="sdb7" ino=13548 scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0 Hash: python3,blueman_t,lib_t,dir,write Version-Release number of selected component: selinux-policy-3.13.1-225.6.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.7-201.fc25.x86_64 type: libreport
Got that issue as well. It appears to be relatively new. It started yesterday, but I'm not using the system every day. It wasn't there a week ago. I'm using Fedora 25 with updates-testing repository enabled. Package versions: kernel-4.9.7-201.fc25.x86_64 python3-3.5.3-1.fc25.x86_64 blueman-2.0.4-4.fc25.x86_64 libreport-2.8.0-1.fc25.x86_64 selinux-policy-3.13.1-225.6.fc25.noarch selinux-policy-targeted-3.13.1-225.6.fc25.noarch reason from the "problem details": SELinux is preventing python3 from 'write' accesses on the directory /usr/lib/python3.5/site-packages/blueman/plugins/mechanism/__pycache__
Description of problem: This seems to happen on startup and keeps reappearing. Similar notifications pop up for firewalld and abrt-action-not: SELinux is preventing firewalld from write access on the directory /usr/lib/python3.5/site-packages/firewall/core/__pycache__ SELinux is preventing abrt-action-not from write access on the directory /usr/lib64/python3.5/site-packages/dbus/__pycache__ I have kept this system in sync with updates-testing and it's been probably a little over a week since I first noticed these messages. Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.9-200.fc25.x86_64 type: libreport
I got this for /usr/lib/python3.5/site-packages/blueman/plugins/mechanism/__pycache__ but don't believe this is an SELinux policy problem as python shouldn't attempt to write these files at all -- the __pycache__/*.pyc files are all newer than their source counterparts: root@gibraltar:/usr/lib/python3.5/site-packages/blueman/plugins/mechanism> for py in *.py; do pyc="__pycache__/${py%.py}.cpython-35.pyc"; pyo="__pycache__/${py%.py}.cpython-35.opt-1.pyc"; [ ! "$pyc" -nt "$py" -o ! "$pyo" -nt "$py" ] && echo $i; done root@gibraltar:/usr/lib/python3.5/site-packages/blueman/plugins/mechanism> Apparently this has been fixed in python3 already, there's a testing update carrying this patch: From 93602e3af70d3b9f98ae2da654b16b3382b68d50 Mon Sep 17 00:00:00 2001 From: Nick Coghlan <ncoghlan> Date: Wed, 8 Mar 2017 16:41:01 +1000 Subject: [PATCH] [3.5] bpo-29537: Tolerate legacy invalid bytecode (#169) bpo-27286 fixed a problem where BUILD_MAP_UNPACK_WITH_CALL could be emitted with an incorrect oparg value, causing the eval loop to access the wrong stack entry when attempting to read the function name. The associated magic number change caused significant problems when attempting to upgrade to 3.5.3 for anyone that relies on pre-cached bytecode remaining valid across maintenance releases. This patch restores the ability to import legacy bytecode generated by 3.5.0, 3.5.1 or 3.5.2, and modifies the eval loop to avoid any harmful consequences from the potentially malformed legacy bytecode. Original import patch by Petr Viktorin, eval loop patch by Serhiy Storchaka, and tests and integration by Nick Coghlan. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f1a1bb2c4c
python3-3.5.3-3.fc25 python3-docs-3.5.3-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f1a1bb2c4c
python3-3.5.3-3.fc25, python3-docs-3.5.3-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.