gh-145417: Do not preserve SELinux context when copying venv scripts (#145454)

Shrey-N · hroncok · blurb-it[bot] · web-flow · commit dbe0007ab2ff · 2026-03-05T15:19:49.000+01:00
Co-authored-by: Miro Hrončok &lt;miro@hroncok.cz&gt;
Co-authored-by: blurb-it[bot] &lt;43283697+blurb-it[bot]@users.noreply.github.com&gt;
Co-authored-by: Victor Stinner &lt;vstinner@python.org&gt;
diff --git a/Lib/test/test_venv.py b/Lib/test/test_venv.py
@@ -11,12 +11,12 @@
 import os.path
 import pathlib
 import re
+import shlex
 import shutil
 import subprocess
 import sys
 import sysconfig
 import tempfile
-import shlex
 from test.support import (captured_stdout, captured_stderr,
                           skip_if_broken_multiprocessing_synchronize, verbose,
                           requires_subprocess, is_android, is_apple_mobile,
@@ -373,6 +373,16 @@ def create_contents(self, paths, filename):
             with open(fn, 'wb') as f:
                 f.write(b'Still here?')
 
+    @unittest.skipUnless(hasattr(os, 'listxattr'), 'test requires os.listxattr')
+    def test_install_scripts_selinux(self):
+        """
+        gh-145417: Test that install_scripts does not copy SELinux context
+        when copying scripts.
+        """
+        with patch('os.listxattr') as listxattr_mock:
+            venv.create(self.env_dir)
+            listxattr_mock.assert_not_called()
+
     def test_overwrite_existing(self):
         """
         Test creating environment in an existing directory.
diff --git a/Lib/venv/__init__.py b/Lib/venv/__init__.py
@@ -581,7 +581,7 @@ def skip_file(f):
                                    'may be binary: %s', srcfile, e)
                     continue
                 if new_data == data:
-                    shutil.copy2(srcfile, dstfile)
+                    shutil.copy(srcfile, dstfile)
                 else:
                     with open(dstfile, 'wb') as f:
                         f.write(new_data)
diff --git a/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst b/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst
@@ -0,0 +1,4 @@
+:mod:`venv`: Prevent incorrect preservation of SELinux context
+when copying the ``Activate.ps1`` script. The script inherited
+the SELinux security context of the system template directory,
+rather than the destination project directory.
