Message364011
| Author |
christian.heimes |
| Recipients |
Leif Middelschulte, christian.heimes |
| Date |
2020年03月12日.11:45:19 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1584013519.4.0.0410198649586.issue38893@roundup.psfhosted.org> |
| In-reply-to |
| Content |
No, CPython's stdlib doesn't use libselinux.
I talked to an engineer from Red Hat's SELinux team today. SELinux returns EACCES for policy violations like in this case. The _copyxattr() helper function ignores EPERM but not EACCES. You are seeing a PermissionError exception because Python maps both EPERM and EACCES to PermissionError.
As first fix the _copyxattr() helper could ignore all permission errors for "security.*" namespace and just continue. This will get rid of the error but may still cause lots of AVC audit events.
A better but backwards incompatible approach is to handle the xattr namespaces differently. Linux defines four xattr namespaces: security, system, trusted, and user. The security namespace is used by security policies like Smack or SELinux. IMHO _copyxattr() should only copy user xattrs by default. The security namespace should only be copied when the caller opts-in. The cp tool has separate preserve settings for context (SELinux security context) and xattr (other extended attributes). |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2020年03月12日 11:45:19 | christian.heimes | set | recipients:
+ christian.heimes, Leif Middelschulte |
| 2020年03月12日 11:45:19 | christian.heimes | set | messageid: <1584013519.4.0.0410198649586.issue38893@roundup.psfhosted.org> |
| 2020年03月12日 11:45:19 | christian.heimes | link | issue38893 messages |
| 2020年03月12日 11:45:19 | christian.heimes | create |
|