Bug 1477753 - python3 .pyo and .pyc files need to go in __pycache__ directory
Summary: python3 .pyo and .pyc files need to go in __pycache__ directory
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Clients
Version: 2.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Michael Mráka
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: spacewalk-review 1397333 1425524 space27
TreeView+ depends on / blocked
 
Reported: 2017-08-02 20:02 UTC by Eric Herget
Modified: 2017-09-27 19:37 UTC (History)
2 users (show)

Fixed In Version: osad-5.11.87-1 spacewalk-usix-2.7.8-1 spacewalk-backend-2.7.136-1
Clone Of:
Environment:
Last Closed: 2017-09-27 19:37:24 UTC
Embargoed:

Attachments (Terms of Use)

Description Eric Herget 2017-08-02 20:02:24 UTC 
Description of problem:
Python3 requires precompiled bytecode files (.pyo and .pyc) to be located in a __pycache__ directory, not in the same directory with the .py files.

Version-Release number of selected component (if applicable):
All

How reproducible:
This issue shows up on any python3 system following an update to selinux-policy back in February 2017 when the code is run as a non-root user.  Client tools run as a non-root user do not experience this issue, but will still benefit from us putting the .pyo and .pyc files in the correct location to avoid the precompile step when they are first run.

Steps to Reproduce:
1. Install osad on a system using python3 (all currently supported Fedora versions)
2. Attempt to start osad
3. See failures in /var/log/audit/audit.log

Actual results:
AVC write denials

Expected results:
code runs without selinux issues

Additional info:
Comment 1 Michael Mráka 2017-08-03 15:09:18 UTC 
Fixed in spacewalk git by
commit cc3831d0ba36c91e04b5a0a48c3e38fcc55ba43c
    1477753 - use standard brp-python-bytecompile to make proper .pyc/.pyo
Comment 2 Ales Dujicek 2017-08-04 07:56:13 UTC 
osa-dispatcher is still python2 and the fix probably caused this

type=AVC msg=audit(1501800705.067:619): avc:  denied  { write } for  pid=11457 comm="osa-dispatcher" name="osad" dev="dm-0" ino=25232088 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
Fail: AVC messages found.

can you please check it?
Comment 3 Michael Mráka 2017-08-07 14:44:33 UTC 
Fixed in spacewalk git by
commit 715b8202cfc075f900bb976519058d26c67ce6c2
    recompile osa-dispatcher with py2 even on F23+
Comment 4 Ales Dujicek 2017-08-08 06:10:11 UTC 
there are two more __pycache__ directories
and the execmem avc

# rpm -q osad
osad-5.11.87-1.fc25.noarch
# service  osad start
Redirecting to /bin/systemctl start  osad.service
Job for osad.service failed because a fatal signal was delivered causing the control process to dump core.
See "systemctl status osad.service" and "journalctl -xe" for details.
# audit2why -a
type=AVC msg=audit(1502171870.811:219): avc:  denied  { write } for  pid=2272 comm="osad" name="spacewalk" dev="dm-0" ino=645216 scontext=system_u:system_r:osad_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1502171870.811:220): avc:  denied  { write } for  pid=2272 comm="osad" name="common" dev="dm-0" ino=9398155 scontext=system_u:system_r:osad_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1502171870.813:221): avc:  denied  { write } for  pid=2272 comm="osad" name="common" dev="dm-0" ino=9398155 scontext=system_u:system_r:osad_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1502171870.862:222): avc:  denied  { execmem } for  pid=2272 comm="osad" scontext=system_u:system_r:osad_t:s0 tcontext=system_u:system_r:osad_t:s0 tclass=process permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

# find / -inum 645216
/usr/lib/python3.5/site-packages/spacewalk
# find / -inum 9398155 
/usr/lib/python3.5/site-packages/spacewalk/common

# find /usr/lib/python3.5/site-packages/spacewalk > find-before
# setenforce 0
# service  osad start
Redirecting to /bin/systemctl start  osad.service
# find /usr/lib/python3.5/site-packages/spacewalk > find-after
# diff -u find-before find-after 
--- find-before	2017-08-08 02:00:28.796123264 -0400
+++ find-after	2017-08-08 02:00:42.892562727 -0400
@@ -12,3 +12,8 @@
 /usr/lib/python3.5/site-packages/spacewalk/common/rhn_pkg.py
 /usr/lib/python3.5/site-packages/spacewalk/common/rhn_rpm.py
 /usr/lib/python3.5/site-packages/spacewalk/common/stringutils.py
+/usr/lib/python3.5/site-packages/spacewalk/common/__pycache__
+/usr/lib/python3.5/site-packages/spacewalk/common/__pycache__/__init__.cpython-35.pyc
+/usr/lib/python3.5/site-packages/spacewalk/common/__pycache__/usix.cpython-35.pyc
+/usr/lib/python3.5/site-packages/spacewalk/__pycache__
+/usr/lib/python3.5/site-packages/spacewalk/__pycache__/__init__.cpython-35.pyc
Comment 5 Michael Mráka 2017-08-09 17:21:18 UTC 
More __pycache__ fixes in spacewalk git
commit c17b22b29579c159643aba70f3b2dc7a11ff5b45
    1477753 - precompile py3 stuff
commit 08ba9af83af333cb231186d0ec529b6144a62fd5
    1477753 - use standard brp-python-bytecompile
commit 960b069e4820e8aef05c27e62081320dba8c651e
    1477753 - precompile py3 bytecode
Comment 6 Eric Herget 2017-09-27 19:37:24 UTC 
Spacewalk 2.7 has been released.

https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes27
Note You need to log in before you can comment on or make changes to this bug.