[issue38893] broken container/selinux integration

[Leif Middelschulte]

New submission from Leif Middelschulte :

It seems Python does not necessarily determine that it is running inside a 
container correctly.

This leads to broken/unexpected behavior when trying to copy files across 
filesytems using `copy2`.
This directly affects Python3 inside the official `fedora:latest` image.

Steps to reproduce the issue can be found here:
https://github.com/containers/container-selinux/issues/81

https://bugs.python.org/issue26328 *might* be related too.

--
components: IO
messages: 357248
nosy: Leif Middelschulte
priority: normal
severity: normal
status: open
title: broken container/selinux integration
type: behavior
versions: Python 3.6, Python 3.7, Python 3.8, Python 3.9

___
Python tracker 
<https://bugs.python.org/issue38893>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38893] broken container/selinux integration

[Leif Middelschulte]

Leif Middelschulte  added the comment:

> Could you please provide name and value of the setxattr() call? I bet it's 
> trying to setxattr 'security.selinux' extended file attribute.

(Pdb) bt full
  /usr/lib64/python3.7/pdb.py(1701)main()
-> pdb._runscript(mainpyfile)
  /usr/lib64/python3.7/pdb.py(1570)_runscript()
-> self.run(statement)
  /usr/lib64/python3.7/bdb.py(585)run()
-> exec(cmd, globals, locals)
  (1)()->None
  /tmp/test.py(6)()->None
-> copy2('/tmp/some_file', '/relabel_bug/failure')
  /usr/lib64/python3.7/shutil.py(267)copy2()
-> copystat(src, dst, follow_symlinks=follow_symlinks)
  /usr/lib64/python3.7/shutil.py(209)copystat()
-> _copyxattr(src, dst, follow_symlinks=follow)
> /usr/lib64/python3.7/shutil.py(165)_copyxattr()
-> os.setxattr(dst, name, value, follow_symlinks=follow_symlinks)
(Pdb) p dst
'/relabel_bug/failure'
(Pdb) p name
'security.selinux'
(Pdb) p value
b'system_u:object_r:fusefs_t:s0\x00'
(Pdb)

--

___
Python tracker 
<https://bugs.python.org/issue38893>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38893] broken container/selinux integration

[Leif Middelschulte]

Leif Middelschulte  added the comment:

For the sake of completeness, the content of `/tmp/test.py`:

```
#!/usr/bin/env python3

from shutil import copy2

copy2('/tmp/some_file', '/relabel_bug/failure')
```

--

___
Python tracker 
<https://bugs.python.org/issue38893>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue38893] broken container/selinux integration

[Leif Middelschulte]

Leif Middelschulte  added the comment:

@Christian Heimes: is there anything else you need from me? Is this the wrong 
forum?

As discussed in the referenced GitHub issue, some SELinux people suggest it 
might be a fault in how Python determines (?) it's running within a container 
environment and how to act upon it.

Does it determine it at all? Does it use libselinux[0]?

Background: I came across this issue by building a Linux distribution using 
Yocto in a Fedora:30 podman managed container with host volumes bound in. I 
guess that it is a fairly common scenario in the near future.

[0] https://danwalsh.livejournal.com/73099.html

--

___
Python tracker 
<https://bugs.python.org/issue38893>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com