View Issue Details

IDProjectCategoryView StatusLast Update
0016389CentOS-7pythonpublic2019-11-13 14:28
Reporterssbarnea 
PriorityhighSeveritymajorReproducibilityalways
Status assignedResolutionopen 
PlatformLinuxOSCentOSOS Version7.7
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0016389: python3-libselinux package is missing
DescriptionAs 7.7 introduced native python3.6 support, it seems that libselinux python bindins are missing and these are essential for lots of module, most notably ansible is pretty much useless without python-libselinux extensions.

What is worse is that there is no way to install these with pip, these need to be compiled on the same system they will be used as they depends on local libselinux verison. They are so important that I would propose including them with python3 package itself
Steps To Reproduceyum-config-manager --enable cr
yum update
yum install python36
python3 -c "import selinux"
# python3 -c "import selinux"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
ModuleNotFoundError: No module named 'selinux'



Additional Informationroot@n0:~ # yum search libselinux
libselinux-python.x86_64 : SELinux python bindings for libselinux

Clearly we need a python3-libselinux package.
Tagspython, selinux
abrt_hash
URL

Activities

arrfab

arrfab

2019-09-05 11:59

administrator   ~0035069

Ansible is supposed to use the default python on EL7, which *is* still python2, so libselinux-python is the one that would be used.
AFAIK, there is no python3-libselinux pkg in EL7.
So can you provide more informations about the issue you have ?
ssbarnea

ssbarnea

2019-09-05 12:31

reporter   ~0035070

* "selinux" python module is needed by ansible (jinja2 templating) and this special module cannot be installed using pip.
* the whole point of having python36 on centos7 was to prepare code to migrate, if we don't have selinux we cannot test it.
* yes for python2 there is the "libselinux-python" package, but we need the same for python3.

RHEL8/CentOS8/Fedora28+ do all have the python3-libselinux package, we just need to recompile it on CentOS7-with-python36 so we can use this interpreter for testing.

I will say it again, python-libselinux is special because opposed to other python modules which even if they are binary can be compiled via a pip-installed. This one cannot and worse, its binary is binary dependent on both selinux/kernel and python version. We do need to provide it.

I should mention that it may prove to be more convenient to build and include selinux with python distribution itself instead of creating a new rpm, the module itself is extremely small and is not loaded implicitlely.

Regarding your question related to "ansible is supposed to use system python": yes this is true unless you use Ansible for testing and your testing requires python3. Ansible itself perfectly supports using python3. Anyone can create a virtualenv and install ansible in it and use it from there, but if they lack a selinux module for that python version, they are mainly blocked.
TrevorH

TrevorH

2019-09-05 12:32

manager   ~0035071

The package is not in RHEL. CentOS is a rebuild of RHEL. You need to ask them.
noonedeadpunk

noonedeadpunk

2019-09-11 10:00

reporter   ~0035088

That's real unlucky, since it makes python3 real useless in terms of running ansible since even very simple things fail https://zuul.opendev.org/t/openstack/build/a871f761c3a647f99e3a78bac2f59f77/log/job-output.txt#11774
ssbarnea

ssbarnea

2019-09-11 10:18

reporter   ~0035089

I also raised a bug against RHEL7 at https://bugzilla.redhat.com/show_bug.cgi?id=1751163 but this bug should not be an excuse for not building a rpm.

There is a big difference between CentOS7 and RHEL7: Centos7 is latest supported CentOS version, which is not the case for RHEL7.

Also CentOS7 is used as a base for preparing other products to work with Red Hat platforms, example OpenStack so is in our interest to allow developers to test their code as soon as possible, so they would work better with our platforms.
ssbarnea

ssbarnea

2019-09-11 11:40

reporter   ~0035090

Tracking bug should be https://bugzilla.redhat.com/show_bug.cgi?id=1719978
arrfab

arrfab

2019-09-11 12:32

administrator   ~0035092

But that bug is private so don't know what it says .. :)
ssbarnea

ssbarnea

2019-09-11 12:51

reporter   ~0035093

@arrfab I was not the one that made it private but I added you to it which should give your access. Hopefully we can find a way to address it.
carlwgeorge

carlwgeorge

2019-09-11 13:11

reporter   ~0035094

Hey y'all, original reporter of https://bugzilla.redhat.com/show_bug.cgi?id=1719978 here. I think it's worth emphasizing that libselinux-python3 is a disabled subpackage of libselinux. All that would be required for CentOS to ship it in CentOS 7.7.1908 would be to remove the fedora conditional around the with_python3 macro.

https://git.centos.org/rpms/libselinux/blob/c7/f/SPECS/libselinux.spec#_1-3

Yes, this would be CentOS diverging from RHEL. But it's not like it's a request to add a completely new package. I think in this case it's worth consideration.
ssbarnea

ssbarnea

2019-09-25 18:31

reporter   ~0035215

To add more fun to the game, it seems that python2-libselinux is missing from CentOS 8, raised as https://bugs.centos.org/view.php?id=16458

This means no version of CentOS can be used to test both python2 and python3 code. I guess that does make it unlikely to be preferred development OS for python developers.
tru

tru

2019-09-25 20:39

administrator   ~0035220

would you step forward to maintain it for the remaining lifetime of CentOS-7?
ssbarnea

ssbarnea

2019-10-14 09:24

reporter   ~0035459

libselinux-python3 was already approved to be build for centos-7 as stated on https://bugzilla.redhat.com/show_bug.cgi?id=1756015 so this should reach centos soon.
neilrieck

neilrieck

2019-11-01 15:57

reporter   ~0035627

I'm hoping that libselinux-python3 (when it is finally available) will work for all versions of CentOS-7. In SELinux enforcing mode, Python3 is not allowed to write PYC files to folder "__pycache__" in lower priv areas like the cgi-bin directory of Apache. We currently fixed this by moving SELinux into permissive mode but that always makes me nervous. Anyway, since Python2 is effectively dead in 2020 (according to Guido) let's hope that all Linux distros begin to pay more attention their Python3 implementations. https://pythonclock.org/
neilrieck

neilrieck

2019-11-13 14:28

reporter   ~0035685

According to RPM find, another distro has already produced a solution

https://rpmfind.net/linux/rpm2html/search.php?query=libselin*python3*&submit=Search+...&system=&arch=

Issue History

Date Modified Username Field Change
2019-09-05 11:45 ssbarnea New Issue
2019-09-05 11:59 arrfab Status new => feedback
2019-09-05 11:59 arrfab Note Added: 0035069
2019-09-05 12:31 ssbarnea Note Added: 0035070
2019-09-05 12:31 ssbarnea Status feedback => assigned
2019-09-05 12:32 TrevorH Note Added: 0035071
2019-09-11 10:00 noonedeadpunk Note Added: 0035088
2019-09-11 10:18 ssbarnea Note Added: 0035089
2019-09-11 11:40 ssbarnea Note Added: 0035090
2019-09-11 12:32 arrfab Note Added: 0035092
2019-09-11 12:34 arrfab Status assigned => feedback
2019-09-11 12:51 ssbarnea Note Added: 0035093
2019-09-11 12:51 ssbarnea Status feedback => assigned
2019-09-11 13:11 carlwgeorge Note Added: 0035094
2019-09-25 18:25 ssbarnea Tag Attached: selinux
2019-09-25 18:25 ssbarnea Tag Attached: python
2019-09-25 18:31 ssbarnea Note Added: 0035215
2019-09-25 20:39 tru Note Added: 0035220
2019-10-14 09:24 ssbarnea Note Added: 0035459
2019-11-01 15:57 neilrieck Note Added: 0035627
2019-11-13 14:28 neilrieck Note Added: 0035685