From cc2c276f222925c89ff95bd9ab6f29beeb382cb8 Mon Sep 17 00:00:00 2001 From: "Miss Islington (bot)" <31488909+miss-islington@users.noreply.github.com> Date: Thu, 5 Mar 2026 18:44:29 +0100 Subject: [PATCH] [3.13] gh-145417: Do not preserve SELinux context when copying venv scripts (GH-145454) (#145550) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit gh-145417: Do not preserve SELinux context when copying venv scripts (GH-145454) (cherry picked from commit dbe0007ab2ff679c85d88e62fb875437b2dc2522) Co-authored-by: Shrey Naithani Co-authored-by: Miro Hrončok Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Victor Stinner --- Lib/test/test_venv.py | 12 +++++++++++- Lib/venv/__init__.py | 2 +- .../2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst | 4 ++++ 3 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst diff --git a/Lib/test/test_venv.py b/Lib/test/test_venv.py index 8b27ce18be17..56b717d3797d 100644 --- a/Lib/test/test_venv.py +++ b/Lib/test/test_venv.py @@ -11,13 +11,13 @@ import os import os.path import pathlib import re +import shlex import shutil import struct import subprocess import sys import sysconfig import tempfile -import shlex from test.support import (captured_stdout, captured_stderr, skip_if_broken_multiprocessing_synchronize, verbose, requires_subprocess, is_android, is_apple_mobile, @@ -375,6 +375,16 @@ class BasicTest(BaseTest): with open(fn, 'wb') as f: f.write(b'Still here?') + @unittest.skipUnless(hasattr(os, 'listxattr'), 'test requires os.listxattr') + def test_install_scripts_selinux(self): + """ + gh-145417: Test that install_scripts does not copy SELinux context + when copying scripts. + """ + with patch('os.listxattr') as listxattr_mock: + venv.create(self.env_dir) + listxattr_mock.assert_not_called() + def test_overwrite_existing(self): """ Test creating environment in an existing directory. diff --git a/Lib/venv/__init__.py b/Lib/venv/__init__.py index f7a6d2614018..c45cb2eefb47 100644 --- a/Lib/venv/__init__.py +++ b/Lib/venv/__init__.py @@ -576,7 +576,7 @@ class EnvBuilder: 'may be binary: %s', srcfile, e) continue if new_data == data: - shutil.copy2(srcfile, dstfile) + shutil.copy(srcfile, dstfile) else: with open(dstfile, 'wb') as f: f.write(new_data) diff --git a/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst b/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst new file mode 100644 index 000000000000..17d62df72ce1 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst @@ -0,0 +1,4 @@ +:mod:`venv`: Prevent incorrect preservation of SELinux context +when copying the ``Activate.ps1`` script. The script inherited +the SELinux security context of the system template directory, +rather than the destination project directory. -- 2.47.3