[3.14] gh-145417: Do not preserve SELinux context when copying venv scripts (GH-14545...

gh-145417: Do not preserve SELinux context when copying venv scripts (GH-145454)
(cherry picked from commit dbe0007ab2ff679c85d88e62fb875437b2dc2522)

Co-authored-by: Shrey Naithani <shrey.naithani@shelllite.tech>
Co-authored-by: Miro Hrončok <miro@hroncok.cz>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>

diff --git a/Lib/test/test_venv.py b/Lib/test/test_venv.py
index d108165be51e84bff2e2b6181772ce5eaef76d54..e63b9dfc182411c11d081b0db87ddea08ab5c8be 100644 (file)
--- a/Lib/test/test_venv.py
+++ b/Lib/test/test_venv.py
@@ -11,13 +11,13 @@ import os
 import os.path
 import pathlib
 import re
+import shlex
 import shutil
 import struct
 import subprocess
 import sys
 import sysconfig
 import tempfile
-import shlex
 from test.support import (captured_stdout, captured_stderr,
                           skip_if_broken_multiprocessing_synchronize, verbose,
                           requires_subprocess, is_android, is_apple_mobile,
@@ -379,6 +379,16 @@ class BasicTest(BaseTest):
             with open(fn, 'wb') as f:
                 f.write(b'Still here?')
 
+    @unittest.skipUnless(hasattr(os, 'listxattr'), 'test requires os.listxattr')
+    def test_install_scripts_selinux(self):
+        """
+        gh-145417: Test that install_scripts does not copy SELinux context
+        when copying scripts.
+        """
+        with patch('os.listxattr') as listxattr_mock:
+            venv.create(self.env_dir)
+            listxattr_mock.assert_not_called()
+
     def test_overwrite_existing(self):
         """
         Test creating environment in an existing directory.

diff --git a/Lib/venv/__init__.py b/Lib/venv/__init__.py
index 17ee28e826d5cf5c53339ffad0dc7381c5d7c6c7..88f3340af418342ec043876fa238d26afbf4a5d1 100644 (file)
--- a/Lib/venv/__init__.py
+++ b/Lib/venv/__init__.py
@@ -588,7 +588,7 @@ class EnvBuilder:
                                    'may be binary: %s', srcfile, e)
                     continue
                 if new_data == data:
-                    shutil.copy2(srcfile, dstfile)
+                    shutil.copy(srcfile, dstfile)
                 else:
                     with open(dstfile, 'wb') as f:
                         f.write(new_data)

diff --git a/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst b/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst
new file mode 100644 (file)
index 0000000..17d62df
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst
@@ -0,0 +1,4 @@
+:mod:`venv`: Prevent incorrect preservation of SELinux context
+when copying the ``Activate.ps1`` script. The script inherited
+the SELinux security context of the system template directory,
+rather than the destination project directory.