Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026
diff --git a/Lib/test/test_venv.py b/Lib/test/test_venv.py
 import os.path
 import pathlib
 import re
 import shlex
 import shutil
 import subprocess
 import sys
 import sysconfig
 import tempfile
 importshlex
 importtime
 from test.support import (captured_stdout, captured_stderr,
                          skip_if_broken_multiprocessing_synchronize, verbose,
                          requires_subprocess, is_android, is_apple_mobile,
            with open(fn, 'wb') as f:
                f.write(b'Still here?')

    def test_install_scripts_mtime(self):
        """
        Test that install_scripts does not preserve mtime when copying scripts.
        Using mtime serves as a proxy to verify that shutil.copy2/copystat
        is not used during script installation,
        incorrectly copying e.g. SELinux bin_t context.
        See gh-145417.
        """
        venv_dir = os.path.dirname(venv.__file__)
        src_path = os.path.join(venv_dir, 'scripts', 'common', 'Activate.ps1')
        src_mtime = os.path.getmtime(src_path)

        # Ensure a temporal difference between src and dst creation
        if abs(time.time() - src_mtime) < 1.0:
            time.sleep(1.1)

        rmtree(self.env_dir)
        venv.create(self.env_dir)

        dst_path = os.path.join(self.env_dir, self.bindir, 'Activate.ps1')
        self.assertTrue(os.path.exists(dst_path), "Activate.ps1 not found in venv")
        dst_mtime = os.path.getmtime(dst_path)

        # shutil.copy should update mtime, whereas shutil.copy2 would preserve it
        self.assertNotEqual(src_mtime, dst_mtime,
                          "mtime was preserved, meaning shutil.copy2 was used")

        # Permissions and content should still match
        src_stat = os.stat(src_path)
        dst_stat = os.stat(dst_path)
        self.assertEqual(src_stat.st_mode, dst_stat.st_mode, "File modes do not match")

        with open(src_path, 'rb') as f:
            src_data = f.read()

        # Protection against the file becoming a template in the future
        self.assertNotIn(b'__VENV_PYTHON__', src_data,
                         "Test assumes Activate.ps1 is a static file, not a template")

        with open(dst_path, 'rb') as f:
            dst_data = f.read()

        self.assertEqual(src_data, dst_data, "File contents do not match")


    def test_overwrite_existing(self):
        """
        Test creating environment in an existing directory.
diff --git a/Lib/venv/__init__.py b/Lib/venv/__init__.py
 'may be binary: %s',srcfile,e)
 continue
 ifnew_data==data:
 shutil.copy2(srcfile,dstfile)
 shutil.copy(srcfile,dstfile)
 else:
 withopen(dstfile,'wb')asf:
 f.write(new_data)
diff --git a/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst b/Misc/NEWS.d/next/Library/2026-03-03-11-49-44.gh-issue-145417.m_HxIL.rst
 Prevent incorrect preservation of SELinux context when copying scripts in :mod:`venv`.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -11,12 +11,13 @@
		import os.path
		import pathlib
		import re
		import shlex
		import shutil
		import subprocess
		import sys
		import sysconfig
		import tempfile
		importshlex
		importtime
		from test.support import (captured_stdout, captured_stderr,
		skip_if_broken_multiprocessing_synchronize, verbose,
		requires_subprocess, is_android, is_apple_mobile,
Expand DownExpand Up		@@ -373,6 +374,51 @@ def create_contents(self, paths, filename):
		with open(fn, 'wb') as f:
		f.write(b'Still here?')

		def test_install_scripts_mtime(self):
		"""
		Test that install_scripts does not preserve mtime when copying scripts.
		Using mtime serves as a proxy to verify that shutil.copy2/copystat
		is not used during script installation,
		incorrectly copying e.g. SELinux bin_t context.
		See gh-145417.
		"""
		venv_dir = os.path.dirname(venv.__file__)
		src_path = os.path.join(venv_dir, 'scripts', 'common', 'Activate.ps1')
		src_mtime = os.path.getmtime(src_path)

		# Ensure a temporal difference between src and dst creation
		if abs(time.time() - src_mtime) < 1.0:
		time.sleep(1.1)

		rmtree(self.env_dir)
		venv.create(self.env_dir)

		dst_path = os.path.join(self.env_dir, self.bindir, 'Activate.ps1')
		self.assertTrue(os.path.exists(dst_path), "Activate.ps1 not found in venv")
		dst_mtime = os.path.getmtime(dst_path)

		# shutil.copy should update mtime, whereas shutil.copy2 would preserve it
		self.assertNotEqual(src_mtime, dst_mtime,
		"mtime was preserved, meaning shutil.copy2 was used")

		# Permissions and content should still match
		src_stat = os.stat(src_path)
		dst_stat = os.stat(dst_path)
		self.assertEqual(src_stat.st_mode, dst_stat.st_mode, "File modes do not match")

		with open(src_path, 'rb') as f:
		src_data = f.read()

		# Protection against the file becoming a template in the future
		self.assertNotIn(b'__VENV_PYTHON__', src_data,
		"Test assumes Activate.ps1 is a static file, not a template")
Comment on lines +413 to +414 Copy link Contributor hroncokMar 3, 2026 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Suggestion: Move this before the equality check. It's unlikely the files will be identical when this happens, and this assertion is more meaningful than the previous one.

		with open(dst_path, 'rb') as f:
		dst_data = f.read()

		self.assertEqual(src_data, dst_data, "File contents do not match")


		def test_overwrite_existing(self):
		"""
		Test creating environment in an existing directory.
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -581,7 +581,7 @@ def skip_file(f):
		'may be binary: %s',srcfile,e)
		continue
		ifnew_data==data:
		shutil.copy2(srcfile,dstfile)
		shutil.copy(srcfile,dstfile)
		else:
		withopen(dstfile,'wb')asf:
		f.write(new_data)
Expand Down
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Prevent incorrect preservation of SELinux context when copying scripts in :mod:`venv`.