SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH 1/4] libselinux: compile Python bytecode when installing Python files
Date: Sat, 9 Nov 2019 16:55:07 +0100
Message-ID: <CAJfZ7=kihH_zrWHdYcR8qf9w9C_VSjcs4ShxUE1XeQv_VRG0eg@mail.gmail.com> (raw)
In-Reply-To: <CAJfZ7=mXrusf-yANsoEhKGrySUJJHG3AkL3ND1uGx13yWwvMGg@mail.gmail.com>

On Sun, Nov 3, 2019 at 9:57 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> On Sat, Nov 2, 2019 at 9:18 PM Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> wrote:
> >
> > Hello Nicolas,
> >
> > On Sat,  2 Nov 2019 18:28:09 +0100
> > Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
> >
> > > When selinux module is imported from a Python script, the content of
> > > __init__.py is compiled into bytecode and the result is saved into a
> > > file if it is allowed. For example, when root runs with Python 3.7 a
> > > script that uses "import selinux" on a system where SELinux is in
> > > permissive mode, this file may be created:
> > >
> > >     /usr/lib/python3.7/site-packages/selinux/__pycache__/__init__.cpython-37.pyc
> > >
> > > Prevent this file from being dynamically created by creating it when
> > > libselinux is installed, using "python -m compileall".
> > >
> > > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> >
> > As far as I know, this not typically done by "setup.py install", and
> > this is generally left to distributions.
>
> Hello, this is done when a parameter such as "--optimize=1" is given
> to "python setup.py install". Such a parameter is described in Arch
> Linux packaging guidelines
> (https://wiki.archlinux.org/index.php/Python_package_guidelines#distutils).
> Nevertheless I agree it seems to be left to distributions whether to
> bytecode-compile Python modules.

I have spent some time working on these patches, and it appears that
the base assumption of "this not typically done by setup.py install"
is not true on my system (Arch Linux with Python 3.7): setup.py *DOES*
compile bytecode into .pyc files. What the distribution I'm using does
when packaging is giving a parameter such as --optimize=1 in order to
create .opt-1.pyc files too. Currently, python/sepolicy/Makefile
already uses setup.py (cf.
https://github.com/SELinuxProject/selinux/blob/selinux-python-3.0-rc1/python/sepolicy/Makefile#L30),
so .pyc files are already generated in some Makefiles of the project.

Could you please confirm that "setup.py install" does not compile
Python scripts into bytecode on your system? This test can be achieved
for example by cloning https://github.com/SELinuxProject/selinux,
running "make -C python/sepolicy DESTDIR=/tmp/selinux install" and
searching for .pyc files in /tmp/selinux.

If "setup.py install" produces .pyc files on every system, from my
point of view there are several alternatives that can be considered:

1. Keep the current behavior by default and introduce a COMPILE_PY
boolean variable in Makefiles that produces both .pyc and .opt-1.pyc
files in Makefiles that do not use setup.py.
2. Generate .pyc files everywhere (what my patches do), and introduce
a OPTIMIZE_PY boolean variable in Makefiles that is used to trigger
the compilation to .opt-1.pyc files.
3. Mix 2 and 3 by introducing both COMPILE_PY and OPTIMIZE_PY.
4. Find a way for "setup.py install" not to produce such files in
python/sepolicy/Makefile and do as 1 or 3.

(A 5th option would be to compile both .pyc and .opt-1.pyc files
without introducing new variables, but this would go against what
appears to be a legitimate user request)

My personal preference here would be either 1. or 2. Would one of
these options suits Buildroot maintainers better?

Thanks,
Nicolas


      reply index

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-02 17:28 Nicolas Iooss
2019-11-02 17:28 ` [PATCH 2/4] libsemanage: " Nicolas Iooss
2019-11-02 17:28 ` [PATCH 3/4] python: " Nicolas Iooss
2019-11-02 17:28 ` [PATCH 4/4] gui: " Nicolas Iooss
2019-11-02 20:18 ` [PATCH 1/4] libselinux: " Thomas Petazzoni
2019-11-03 20:57   ` Nicolas Iooss
2019-11-09 15:55     ` Nicolas Iooss [this message]

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAJfZ7=kihH_zrWHdYcR8qf9w9C_VSjcs4ShxUE1XeQv_VRG0eg@mail.gmail.com' \
    --to=nicolas.iooss@m4x.org \
    --cc=selinux@vger.kernel.org \
    --cc=thomas.petazzoni@bootlin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git