[3.13] gh-145417: Do not preserve SELinux context when copying venv scripts (GH-14545...

gh-145417: Do not preserve SELinux context when copying venv scripts (GH-145454)
(cherry picked from commit dbe0007ab2ff679c85d88e62fb875437b2dc2522)

Co-authored-by: Shrey Naithani <shrey.naithani@shelllite.tech>
Co-authored-by: Miro Hrončok <miro@hroncok.cz>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>

diff --git a/Lib/test/test_venv.py b/Lib/test/test_venv.py
index 8b27ce18be178d688ec5b3c0e1bd60c3a27e6393..56b717d3797d6ec9a145be4ff0c1d80e4b38079d 100644 (file)
--- a/Lib/test/test_venv.py
+++ b/Lib/test/test_venv.py
@@ -11,13 +11,13 @@ import os
 import os.path
 import pathlib
 import re
+import shlex
 import shutil
 import struct
 import subprocess
 import sys
 import sysconfig
 import tempfile
-import shlex
 from test.support import (captured_stdout, captured_stderr,
                           skip_if_broken_multiprocessing_synchronize, verbose,
                           requires_subprocess, is_android, is_apple_mobile,
@@ -375,6 +375,16 @@ class BasicTest(BaseTest):
             with open(fn, 'wb') as f:
                 f.write(b'Still here?')
 
+    @unittest.skipUnless(hasattr(os, 'listxattr'), 'test requires os.listxattr')
+    def test_install_scripts_selinux(self):
+        """
+        gh-145417: Test that install_scripts does not copy SELinux context
+        when copying scripts.
+        """
+        with patch('os.listxattr') as listxattr_mock:
+            venv.create(self.env_dir)
+            listxattr_mock.assert_not_called()
+
     def test_overwrite_existing(self):
         """
         Test creating environment in an existing directory.

diff --git a/Lib/venv/__init__.py b/Lib/venv/__init__.py
index f7a6d2614018c5c28c75479f751c4d65f6bdcc06..c45cb2eefb47955629de912fbac59c7cf73c4e83 100644 (file)
--- a/Lib/venv/__init__.py
+++ b/Lib/venv/__init__.py
@@ -576,7 +576,7 @@ class EnvBuilder:
                                    'may be binary: %s', srcfile, e)
                     continue
                 if new_data == data:
-                    shutil.copy2(srcfile, dstfile)
+                    shutil.copy(srcfile, dstfile)
                 else:
                     with open(dstfile, 'wb') as f:
                         f.write(new_data)

diff --git a/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst b/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst
new file mode 100644 (file)
index 0000000..17d62df
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst
@@ -0,0 +1,4 @@
+:mod:`venv`: Prevent incorrect preservation of SELinux context
+when copying the ``Activate.ps1`` script. The script inherited
+the SELinux security context of the system template directory,
+rather than the destination project directory.