Bug 1419301 - SELinux is preventing python3 from 'write' accesses on the directory __pycache__.
Summary: SELinux is preventing python3 from 'write' accesses on the directory __pycach...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: python3
Version: 25
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Charalampos Stratakis
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:b2d1fab5ad20339fe282a9fb3ed...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-05 02:08 UTC by Filipe Rosset
Modified: 2017-03-16 22:21 UTC (History)
19 users (show)

Fixed In Version: python3-3.5.3-3.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-16 22:21:40 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Filipe Rosset 2017-02-05 02:08:41 UTC
Description of problem:
SELinux is preventing python3 from 'write' accesses on the directory __pycache__.

*****  Plugin catchall (100. confidence) suggests   **************************

If você acredita que o python3 deva ser permitido acesso de write em __pycache__ directory  por default.
Then você deve informar que este é um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Do
allow this access for now by executing:
# ausearch -c 'python3' --raw | audit2allow -M my-python3
# semodule -X 300 -i my-python3.pp

Additional Information:
Source Context                system_u:system_r:blueman_t:s0-s0:c0.c1023
Target Context                system_u:object_r:lib_t:s0
Target Objects                __pycache__ [ dir ]
Source                        python3
Source Path                   python3
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-225.6.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.9.7-201.fc25.x86_64 #1 SMP Thu
                              Feb 2 23:32:42 UTC 2017 x86_64 x86_64
Alert Count                   55
First Seen                    2017-02-05 00:06:48 BRST
Last Seen                     2017-02-05 00:06:49 BRST
Local ID                      84074be3-b250-4b2f-a54a-c7b7ab1f4cf6

Raw Audit Messages
type=AVC msg=audit(1486260409.5:395): avc:  denied  { write } for  pid=2614 comm="blueman-mechani" name="__pycache__" dev="sdb7" ino=13548 scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0


Hash: python3,blueman_t,lib_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.7-201.fc25.x86_64
type:           libreport

Comment 1 Pavel Roskin 2017-02-08 05:35:46 UTC
Got that issue as well. It appears to be relatively new. It started yesterday, but I'm not using the system every day. It wasn't there a week ago. I'm using Fedora 25 with updates-testing repository enabled.

Package versions:

kernel-4.9.7-201.fc25.x86_64
python3-3.5.3-1.fc25.x86_64
blueman-2.0.4-4.fc25.x86_64
libreport-2.8.0-1.fc25.x86_64
selinux-policy-3.13.1-225.6.fc25.noarch
selinux-policy-targeted-3.13.1-225.6.fc25.noarch

reason from the "problem details":

SELinux is preventing python3 from 'write' accesses on the directory /usr/lib/python3.5/site-packages/blueman/plugins/mechanism/__pycache__

Comment 2 Alexander Ploumistos 2017-02-13 16:30:12 UTC
Description of problem:
This seems to happen on startup and keeps reappearing. Similar notifications pop up for firewalld and abrt-action-not:

SELinux is preventing firewalld from write access on the directory /usr/lib/python3.5/site-packages/firewall/core/__pycache__

SELinux is preventing abrt-action-not from write access on the directory /usr/lib64/python3.5/site-packages/dbus/__pycache__

I have kept this system in sync with updates-testing and it's been probably a little over a week since I first noticed these messages.


Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.9-200.fc25.x86_64
type:           libreport

Comment 3 Nils Philippsen 2017-03-13 09:55:51 UTC
I got this for /usr/lib/python3.5/site-packages/blueman/plugins/mechanism/__pycache__ but don't believe this is an SELinux policy problem as python shouldn't attempt to write these files at all -- the __pycache__/*.pyc files are all newer than their source counterparts:

root@gibraltar:/usr/lib/python3.5/site-packages/blueman/plugins/mechanism> for py in *.py; do pyc="__pycache__/${py%.py}.cpython-35.pyc"; pyo="__pycache__/${py%.py}.cpython-35.opt-1.pyc"; [ ! "$pyc" -nt "$py" -o ! "$pyo" -nt "$py" ] && echo $i; done
root@gibraltar:/usr/lib/python3.5/site-packages/blueman/plugins/mechanism>

Apparently this has been fixed in python3 already, there's a testing update carrying this patch:

From 93602e3af70d3b9f98ae2da654b16b3382b68d50 Mon Sep 17 00:00:00 2001
From: Nick Coghlan <ncoghlan>
Date: Wed, 8 Mar 2017 16:41:01 +1000
Subject: [PATCH] [3.5] bpo-29537: Tolerate legacy invalid bytecode (#169)

bpo-27286 fixed a problem where BUILD_MAP_UNPACK_WITH_CALL could
be emitted with an incorrect oparg value, causing the eval loop
to access the wrong stack entry when attempting to read the
function name.

The associated magic number change caused significant problems when
attempting to upgrade to 3.5.3 for anyone that relies on pre-cached
bytecode remaining valid across maintenance releases.

This patch restores the ability to import legacy bytecode generated
by 3.5.0, 3.5.1 or 3.5.2, and modifies the eval loop to
avoid any harmful consequences from the potentially malformed legacy
bytecode.

Original import patch by Petr Viktorin, eval loop patch by Serhiy Storchaka,
and tests and integration by Nick Coghlan.

https://bodhi.fedoraproject.org/updates/FEDORA-2017-f1a1bb2c4c

Comment 4 Fedora Update System 2017-03-13 09:57:55 UTC
python3-3.5.3-3.fc25 python3-docs-3.5.3-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f1a1bb2c4c

Comment 5 Fedora Update System 2017-03-16 22:21:40 UTC
python3-3.5.3-3.fc25, python3-docs-3.5.3-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.