Bug 1477753 - python3 .pyo and .pyc files need to go in __pycache__ directory
python3 .pyo and .pyc files need to go in __pycache__ directory
Status: CLOSED CURRENTRELEASE
Product: Spacewalk
Classification: Community
Component: Clients (Show other bugs)
2.6
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Michael Mráka
Red Hat Satellite QA List
:
Depends On:
Blocks: spacewalk-review 1397333 1425524 space27
  Show dependency treegraph
 
Reported: 2017-08-02 16:02 EDT by Eric Herget
Modified: 2017-09-27 15:37 EDT (History)
2 users (show)

See Also:
Fixed In Version: osad-5.11.87-1 spacewalk-usix-2.7.8-1 spacewalk-backend-2.7.136-1
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-27 15:37:24 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eric Herget 2017-08-02 16:02:24 EDT
Description of problem:
Python3 requires precompiled bytecode files (.pyo and .pyc) to be located in a __pycache__ directory, not in the same directory with the .py files.

Version-Release number of selected component (if applicable):
All

How reproducible:
This issue shows up on any python3 system following an update to selinux-policy back in February 2017 when the code is run as a non-root user.  Client tools run as a non-root user do not experience this issue, but will still benefit from us putting the .pyo and .pyc files in the correct location to avoid the precompile step when they are first run.

Steps to Reproduce:
1. Install osad on a system using python3 (all currently supported Fedora versions)
2. Attempt to start osad
3. See failures in /var/log/audit/audit.log

Actual results:
AVC write denials

Expected results:
code runs without selinux issues

Additional info:
Comment 1 Michael Mráka 2017-08-03 11:09:18 EDT
Fixed in spacewalk git by
commit cc3831d0ba36c91e04b5a0a48c3e38fcc55ba43c
    1477753 - use standard brp-python-bytecompile to make proper .pyc/.pyo
Comment 2 Ales Dujicek 2017-08-04 03:56:13 EDT
osa-dispatcher is still python2 and the fix probably caused this

type=AVC msg=audit(1501800705.067:619): avc:  denied  { write } for  pid=11457 comm="osa-dispatcher" name="osad" dev="dm-0" ino=25232088 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
Fail: AVC messages found.

can you please check it?
Comment 3 Michael Mráka 2017-08-07 10:44:33 EDT
Fixed in spacewalk git by
commit 715b8202cfc075f900bb976519058d26c67ce6c2
    recompile osa-dispatcher with py2 even on F23+
Comment 4 Ales Dujicek 2017-08-08 02:10:11 EDT
there are two more __pycache__ directories
and the execmem avc

# rpm -q osad
osad-5.11.87-1.fc25.noarch
# service  osad start
Redirecting to /bin/systemctl start  osad.service
Job for osad.service failed because a fatal signal was delivered causing the control process to dump core.
See "systemctl status osad.service" and "journalctl -xe" for details.
# audit2why -a
type=AVC msg=audit(1502171870.811:219): avc:  denied  { write } for  pid=2272 comm="osad" name="spacewalk" dev="dm-0" ino=645216 scontext=system_u:system_r:osad_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1502171870.811:220): avc:  denied  { write } for  pid=2272 comm="osad" name="common" dev="dm-0" ino=9398155 scontext=system_u:system_r:osad_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1502171870.813:221): avc:  denied  { write } for  pid=2272 comm="osad" name="common" dev="dm-0" ino=9398155 scontext=system_u:system_r:osad_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1502171870.862:222): avc:  denied  { execmem } for  pid=2272 comm="osad" scontext=system_u:system_r:osad_t:s0 tcontext=system_u:system_r:osad_t:s0 tclass=process permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

# find / -inum 645216
/usr/lib/python3.5/site-packages/spacewalk
# find / -inum 9398155 
/usr/lib/python3.5/site-packages/spacewalk/common

# find /usr/lib/python3.5/site-packages/spacewalk > find-before
# setenforce 0
# service  osad start
Redirecting to /bin/systemctl start  osad.service
# find /usr/lib/python3.5/site-packages/spacewalk > find-after
# diff -u find-before find-after 
--- find-before	2017-08-08 02:00:28.796123264 -0400
+++ find-after	2017-08-08 02:00:42.892562727 -0400
@@ -12,3 +12,8 @@
 /usr/lib/python3.5/site-packages/spacewalk/common/rhn_pkg.py
 /usr/lib/python3.5/site-packages/spacewalk/common/rhn_rpm.py
 /usr/lib/python3.5/site-packages/spacewalk/common/stringutils.py
+/usr/lib/python3.5/site-packages/spacewalk/common/__pycache__
+/usr/lib/python3.5/site-packages/spacewalk/common/__pycache__/__init__.cpython-35.pyc
+/usr/lib/python3.5/site-packages/spacewalk/common/__pycache__/usix.cpython-35.pyc
+/usr/lib/python3.5/site-packages/spacewalk/__pycache__
+/usr/lib/python3.5/site-packages/spacewalk/__pycache__/__init__.cpython-35.pyc
Comment 5 Michael Mráka 2017-08-09 13:21:18 EDT
More __pycache__ fixes in spacewalk git
commit c17b22b29579c159643aba70f3b2dc7a11ff5b45
    1477753 - precompile py3 stuff
commit 08ba9af83af333cb231186d0ec529b6144a62fd5
    1477753 - use standard brp-python-bytecompile
commit 960b069e4820e8aef05c27e62081320dba8c651e
    1477753 - precompile py3 bytecode
Comment 6 Eric Herget 2017-09-27 15:37:24 EDT
Spacewalk 2.7 has been released.

https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes27

Note You need to log in before you can comment on or make changes to this bug.