ipa/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch

52 lines
1.9 KiB
Diff
Raw Normal View History

From 3c106c400b9946405289fc5f6b57a76d08667b50 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 1 Sep 2016 17:04:06 +0300
Subject: [PATCH] Workarounds for SELinux execmem violations in cryptography
pki.client no longer tries to use PyOpenSSL instead of Python's ssl
module.
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
A hack in wsgi.py prevents the import by raising an ImportError.
---
install/share/wsgi.py | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/install/share/wsgi.py b/install/share/wsgi.py
index ee9311e..bb201fa 100644
--- a/install/share/wsgi.py
+++ b/install/share/wsgi.py
@@ -23,6 +23,20 @@
"""
WSGI appliction for IPA server.
"""
+import sys
+
+# Some dependencies like Dogtag's pki.client library and custodia use
+# python-requsts to make HTTPS connection. python-requests prefers
+# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
+# of python-cryptography which trigger a execmem SELinux violation
+# in the context of Apache HTTPD (httpd_execmem).
+# When requests is imported, it always tries to import pyopenssl glue
+# code from urllib3's contrib directory. The import of PyOpenSSL is
+# enough to trigger the SELinux denial.
+# This hack prevents the import by raising an ImportError.
+
+sys.modules['requests.packages.urllib3.contrib.pyopenssl'] = None
+
2017-05-25 13:11:33 +00:00
from ipaplatform.paths import paths
from ipalib import api
from ipalib.config import Env
--
2.7.4