From 5f5010dd712c20331e9c040d194ffc758c02a245 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 1 Sep 2016 17:05:35 +0300
Subject: [PATCH] Update SELinux execmem workaround

dcerpc crypto changes were merged upstream
---
 ...SELinux-execmem-violations-in-crypto.patch | 94 ++-----------------
 1 file changed, 8 insertions(+), 86 deletions(-)

diff --git a/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch b/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
index 99ecd18..632e68f 100644
--- a/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
+++ b/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
@@ -1,9 +1,8 @@
-From 7d34dd15aa0365b1cd9d4bac9646aa4fa883f876 Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Thu, 3 Dec 2015 14:26:19 +0100
+From 3c106c400b9946405289fc5f6b57a76d08667b50 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 1 Sep 2016 17:04:06 +0300
 Subject: [PATCH] Workarounds for SELinux execmem violations in cryptography
 
-ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
 pki.client no longer tries to use PyOpenSSL instead of Python's ssl
 module.
 
@@ -12,38 +11,18 @@ python-requsts to make HTTPS connection. python-requests prefers
 PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
 of python-cryptography which trigger a execmem SELinux violation
 in the context of Apache HTTPD (httpd_execmem).
+
 When requests is imported, it always tries to import pyopenssl glue
 code from urllib3's contrib directory. The import of PyOpenSSL is
 enough to trigger the SELinux denial.
+
 A hack in wsgi.py prevents the import by raising an ImportError.
 ---
- freeipa.spec.in       |  2 ++
  install/share/wsgi.py | 14 ++++++++++++++
- ipaserver/dcerpc.py   | 32 +++++++++++++++++++++++---------
- 3 files changed, 39 insertions(+), 9 deletions(-)
+ 1 file changed, 14 insertions(+)
 
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index 542dc28..cd05709 100644
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -72,6 +72,7 @@ BuildRequires:  python-ldap
- BuildRequires:  python-setuptools
- BuildRequires:  python-nss
- BuildRequires:  python-cryptography >= 0.9
-+BuildRequires:  m2crypto
- BuildRequires:  python-netaddr
- BuildRequires:  python-gssapi >= 1.1.2
- BuildRequires:  python-rhsm
-@@ -483,6 +484,7 @@ Requires: keyutils
- Requires: pyOpenSSL
- Requires: python-nss >= 0.16
- Requires: python-cryptography >= 0.9
-+Requires: m2crypto
- Requires: python-lxml
- Requires: python-netaddr
- Requires: python-libipa_hbac
 diff --git a/install/share/wsgi.py b/install/share/wsgi.py
-index ee9311e..ba42c34 100644
+index ee9311e..bb201fa 100644
 --- a/install/share/wsgi.py
 +++ b/install/share/wsgi.py
 @@ -23,6 +23,20 @@
@@ -67,63 +46,6 @@ index ee9311e..ba42c34 100644
  from ipalib import api
  from ipalib.config import Env
  from ipalib.constants import DEFAULT_CONFIG
-diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
-index bb58945..63df946 100644
---- a/ipaserver/dcerpc.py
-+++ b/ipaserver/dcerpc.py
-@@ -42,8 +42,6 @@ from samba.ndr import ndr_pack, ndr_print
- from samba import net
- import samba
- import random
--from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
--from cryptography.hazmat.backends import default_backend
- try:
-     from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401
- except ImportError:
-@@ -65,6 +63,29 @@ if six.PY3:
-     unicode = str
-     long = int
- 
-+# Some versions of python-cryptography depend on python-cffi callbacks which
-+# are built on top of libffi's closure API. The closures require writeable
-+# and executable anonymous memory mappings, which violate SELinux execmem
-+# rules such as 'httpd_execmem'. Prefer M2Crypto on Python 2.
-+try:
-+    from M2Crypto import RC4
-+except ImportError:
-+    from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
-+    from cryptography.hazmat.backends import default_backend
-+
-+    def arcfour_encrypt(key, data):
-+        """RC4 with python-cryptography"""
-+        algorithm = algorithms.ARC4(key)
-+        cipher = Cipher(algorithm, mode=None, backend=default_backend())
-+        encryptor = cipher.encryptor()
-+        return encryptor.update(data)
-+else:
-+    def arcfour_encrypt(key, data):
-+        """RC4 with M2Crypto"""
-+        c = RC4.RC4(key)
-+        return c.update(data)
-+
-+
- __doc__ = _("""
- Classes to manage trust joins using DCE-RPC calls
- 
-@@ -135,13 +156,6 @@ def assess_dcerpc_exception(num=None,message=None):
-     return errors.RemoteRetrieveError(reason=reason)
- 
- 
--def arcfour_encrypt(key, data):
--    algorithm = algorithms.ARC4(key)
--    cipher = Cipher(algorithm, mode=None, backend=default_backend())
--    encryptor = cipher.encryptor()
--    return encryptor.update(data)
--
--
- class ExtendedDNControl(LDAPControl):
-     # This class attempts to implement LDAP control that would work
-     # with both python-ldap 2.4.x and 2.3.x, thus there is mix of properties
 -- 
-2.5.0
+2.7.4