gh-145417: Do not preserve SELinux context when copying venv scripts (#145454)

author Shrey Naithani <shrey.naithani@shelllite.tech>

Thu, 5 Mar 2026 14:19:49 +0000 (19:49 +0530)

committer GitHub <noreply@github.com>

Thu, 5 Mar 2026 14:19:49 +0000 (15:19 +0100)
author Shrey Naithani <shrey.naithani@shelllite.tech>
Thu, 5 Mar 2026 14:19:49 +0000 (19:49 +0530)
committer GitHub <noreply@github.com>
Thu, 5 Mar 2026 14:19:49 +0000 (15:19 +0100)
diff --git a/Lib/test/test_venv.py b/Lib/test/test_venv.py

index 68bcf535eada10483c75a74984361eb0303a78b9..78461abcd69f337c7dbd2cf9e590fe9c22a18984 100644 (file)
--- a/Lib/test/test_venv.py
+++ b/Lib/test/test_venv.py
@@ -11,12 +11,12 @@ import os
  import os.path
  import pathlib
  import re
+import shlex
  import shutil
  import subprocess
  import sys
  import sysconfig
  import tempfile
-import shlex
  from test.support import (captured_stdout, captured_stderr,
                            skip_if_broken_multiprocessing_synchronize, verbose,
                            requires_subprocess, is_android, is_apple_mobile,
@@ -373,6 +373,16 @@ class BasicTest(BaseTest):
              with open(fn, 'wb') as f:
                  f.write(b'Still here?')
  
+    @unittest.skipUnless(hasattr(os, 'listxattr'), 'test requires os.listxattr')
+    def test_install_scripts_selinux(self):
+        """
+        gh-145417: Test that install_scripts does not copy SELinux context
+        when copying scripts.
+        """
+        with patch('os.listxattr') as listxattr_mock:
+            venv.create(self.env_dir)
+            listxattr_mock.assert_not_called()
+
      def test_overwrite_existing(self):
          """
          Test creating environment in an existing directory.
diff --git a/Lib/venv/__init__.py b/Lib/venv/__init__.py

index 19eddde700bcf95b70f3f419f24533d3a7160404..21f82125f5a7c404639fabf642e672e63fe465b8 100644 (file)
--- a/Lib/venv/__init__.py
+++ b/Lib/venv/__init__.py
@@ -581,7 +581,7 @@ class EnvBuilder:
                                     'may be binary: %s', srcfile, e)
                      continue
                  if new_data == data:
-                    shutil.copy2(srcfile, dstfile)
+                    shutil.copy(srcfile, dstfile)
                  else:
                      with open(dstfile, 'wb') as f:
                          f.write(new_data)
diff --git a/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst b/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst

new file mode 100644 (file)

index 0000000..17d62df
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst
@@ -0,0 +1,4 @@
+:mod:`venv`: Prevent incorrect preservation of SELinux context
+when copying the ``Activate.ps1`` script. The script inherited
+the SELinux security context of the system template directory,
+rather than the destination project directory.
author	Shrey Naithani <shrey.naithani@shelllite.tech>
	Thu, 5 Mar 2026 14:19:49 +0000 (19:49 +0530)
committer	GitHub <noreply@github.com>
	Thu, 5 Mar 2026 14:19:49 +0000 (15:19 +0100)
Lib/test/test_venv.py		patch \| blob \| blame \| history
Lib/venv/__init__.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst	[new file with mode: 0644]	patch \| blob