Hi Ian, I'm not positive, but during cryptography's startup we use `std::thread::available_parallelism()` in Rust to get the number of cores for various things, and I suspect it is accessing the cgroups configuration to know if the process has limited threads.
If you wanted to really verify this, you could write a rust program that just called `std::thread::available_parallelism()` and verify if it shows the same behavior. Alex On Wed, Aug 27, 2025 at 10:02 AM Ian Pilcher via Cryptography-dev <[email protected]> wrote: > > I've written a Python ACME client that I use to retrieve certificates > from Let's Encrypt. It uses pyca/cryptography to generate and parse > keys, certificates, CSRs, etc. > > Being a security conscious sort of person, I've also written an SELinux > policy for it, and I've lately been seeing the following SELinux denial > logged whenever the client runs. > > avc: denied { search } for pid=8304 comm="python.acg" name="/" > dev="cgroup2" ino=1 scontext=system_u:system_r:acg_t:s0 > tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 > > For some reason, my Python program is trying to read from > /sys/fs/cgroup. > > I've used strace to verify that this is caused by importing pretty much > any part of pyca/cryptography. > > So the question is ... *why* is pyca/cryptography trying to read cgroup > information? This will determine whether I should allow or dontaudit > this access in my policy. > > Thanks! > > -- > ======================================================================== > If your user interface is intuitive in retrospect ... it isn't intuitive > ======================================================================== > > _______________________________________________ > Cryptography-dev mailing list -- [email protected] > To unsubscribe send an email to [email protected] > https://mail.python.org/mailman3//lists/cryptography-dev.python.org > Member address: [email protected] -- All that is necessary for evil to succeed is for good people to do nothing. _______________________________________________ Cryptography-dev mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/cryptography-dev.python.org Member address: [email protected]
