View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0016389||CentOS-7||python||public||2019-09-05 11:45||2019-12-10 20:54|
|Target Version||Fixed in Version|
|Summary||0016389: python3-libselinux package is missing|
|Description||As 7.7 introduced native python3.6 support, it seems that libselinux python bindins are missing and these are essential for lots of module, most notably ansible is pretty much useless without python-libselinux extensions.|
What is worse is that there is no way to install these with pip, these need to be compiled on the same system they will be used as they depends on local libselinux verison. They are so important that I would propose including them with python3 package itself
|Steps To Reproduce||yum-config-manager --enable cr|
yum install python36
python3 -c "import selinux"
# python3 -c "import selinux"
Traceback (most recent call last):
File "<string>", line 1, in <module>
ModuleNotFoundError: No module named 'selinux'
|Additional Information||root@n0:~ # yum search libselinux|
libselinux-python.x86_64 : SELinux python bindings for libselinux
Clearly we need a python3-libselinux package.
Ansible is supposed to use the default python on EL7, which *is* still python2, so libselinux-python is the one that would be used.
AFAIK, there is no python3-libselinux pkg in EL7.
So can you provide more informations about the issue you have ?
* "selinux" python module is needed by ansible (jinja2 templating) and this special module cannot be installed using pip.
* the whole point of having python36 on centos7 was to prepare code to migrate, if we don't have selinux we cannot test it.
* yes for python2 there is the "libselinux-python" package, but we need the same for python3.
RHEL8/CentOS8/Fedora28+ do all have the python3-libselinux package, we just need to recompile it on CentOS7-with-python36 so we can use this interpreter for testing.
I will say it again, python-libselinux is special because opposed to other python modules which even if they are binary can be compiled via a pip-installed. This one cannot and worse, its binary is binary dependent on both selinux/kernel and python version. We do need to provide it.
I should mention that it may prove to be more convenient to build and include selinux with python distribution itself instead of creating a new rpm, the module itself is extremely small and is not loaded implicitlely.
Regarding your question related to "ansible is supposed to use system python": yes this is true unless you use Ansible for testing and your testing requires python3. Ansible itself perfectly supports using python3. Anyone can create a virtualenv and install ansible in it and use it from there, but if they lack a selinux module for that python version, they are mainly blocked.
|The package is not in RHEL. CentOS is a rebuild of RHEL. You need to ask them.|
|That's real unlucky, since it makes python3 real useless in terms of running ansible since even very simple things fail https://zuul.opendev.org/t/openstack/build/a871f761c3a647f99e3a78bac2f59f77/log/job-output.txt#11774|
I also raised a bug against RHEL7 at https://bugzilla.redhat.com/show_bug.cgi?id=1751163 but this bug should not be an excuse for not building a rpm.
There is a big difference between CentOS7 and RHEL7: Centos7 is latest supported CentOS version, which is not the case for RHEL7.
Also CentOS7 is used as a base for preparing other products to work with Red Hat platforms, example OpenStack so is in our interest to allow developers to test their code as soon as possible, so they would work better with our platforms.
|Tracking bug should be https://bugzilla.redhat.com/show_bug.cgi?id=1719978|
|But that bug is private so don't know what it says .. :)|
|@arrfab I was not the one that made it private but I added you to it which should give your access. Hopefully we can find a way to address it.|
Hey y'all, original reporter of https://bugzilla.redhat.com/show_bug.cgi?id=1719978 here. I think it's worth emphasizing that libselinux-python3 is a disabled subpackage of libselinux. All that would be required for CentOS to ship it in CentOS 7.7.1908 would be to remove the fedora conditional around the with_python3 macro.
Yes, this would be CentOS diverging from RHEL. But it's not like it's a request to add a completely new package. I think in this case it's worth consideration.
To add more fun to the game, it seems that python2-libselinux is missing from CentOS 8, raised as https://bugs.centos.org/view.php?id=16458
This means no version of CentOS can be used to test both python2 and python3 code. I guess that does make it unlikely to be preferred development OS for python developers.
|would you step forward to maintain it for the remaining lifetime of CentOS-7?|
|libselinux-python3 was already approved to be build for centos-7 as stated on https://bugzilla.redhat.com/show_bug.cgi?id=1756015 so this should reach centos soon.|
|I'm hoping that libselinux-python3 (when it is finally available) will work for all versions of CentOS-7. In SELinux enforcing mode, Python3 is not allowed to write PYC files to folder "__pycache__" in lower priv areas like the cgi-bin directory of Apache. We currently fixed this by moving SELinux into permissive mode but that always makes me nervous. Anyway, since Python2 is effectively dead in 2020 (according to Guido) let's hope that all Linux distros begin to pay more attention their Python3 implementations. https://pythonclock.org/|
According to RPM find, another distro has already produced a solution
> Python2 is effectively dead in 2020
To clarify, python2 in RHEL 7 is supported for the lifetime of RHEL 7
|I am not sure how long RHEL 7 will be supported but problems are on the horizon which remind me of y2k (a looming problem but many continue to sleep-walk). So here's my sermon: many admin tools (yum and firewall-cmd are the first two which spring to mind) are written in python2 but the authors of Python2 have stated that there will be no security updates provided to python2 after 2020-01-01. Everyone knows that security is a constantly changing game of cat-and-mouse which means that some day soon, the Python2-based yum tool which is used to update both CentOS and RHEL, will not be secure. So we have two big issues here: customer code written in Python2 should be repaired so that it will work properly under Python3, and the Linux admin tools need to be upgraded ASAP just to protect future Linux updates.|
|Everything in the distro is supported by Red Hat until the demise of the distro 10 years after it it was first released. There is no looming python2 problem as it's supported by Red Hat until 2024|
|FYI RHEL support policy is published at https://access.redhat.com/support/policy/updates/errata/|
|2019-09-05 11:45||ssbarnea||New Issue|
|2019-09-05 11:59||arrfab||Status||new => feedback|
|2019-09-05 11:59||arrfab||Note Added: 0035069|
|2019-09-05 12:31||ssbarnea||Note Added: 0035070|
|2019-09-05 12:31||ssbarnea||Status||feedback => assigned|
|2019-09-05 12:32||TrevorH||Note Added: 0035071|
|2019-09-11 10:00||noonedeadpunk||Note Added: 0035088|
|2019-09-11 10:18||ssbarnea||Note Added: 0035089|
|2019-09-11 11:40||ssbarnea||Note Added: 0035090|
|2019-09-11 12:32||arrfab||Note Added: 0035092|
|2019-09-11 12:34||arrfab||Status||assigned => feedback|
|2019-09-11 12:51||ssbarnea||Note Added: 0035093|
|2019-09-11 12:51||ssbarnea||Status||feedback => assigned|
|2019-09-11 13:11||carlwgeorge||Note Added: 0035094|
|2019-09-25 18:25||ssbarnea||Tag Attached: selinux|
|2019-09-25 18:25||ssbarnea||Tag Attached: python|
|2019-09-25 18:31||ssbarnea||Note Added: 0035215|
|2019-09-25 20:39||tru||Note Added: 0035220|
|2019-10-14 09:24||ssbarnea||Note Added: 0035459|
|2019-11-01 15:57||neilrieck||Note Added: 0035627|
|2019-11-13 14:28||neilrieck||Note Added: 0035685|
|2019-12-05 15:59||apevec||Note Added: 0035804|
|2019-12-10 20:35||neilrieck||Note Added: 0035813|
|2019-12-10 20:49||TrevorH||Note Added: 0035814|
|2019-12-10 20:54||apevec||Note Added: 0035815|