rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update SELinux execmem workaround

Browse Source 
dcerpc crypto changes were merged upstream
This commit is contained in:
Alexander Bokovoy 2016-09-01 17:05:35 +03:00
parent 64545c1505
commit 5f5010dd71
1 changed files with 8 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
View File

@ -1,9 +1,8 @@
From 7d34dd15aa0365b1cd9d4bac9646aa4fa883f876 Mon Sep 17 00:00:00 2001 From 3c106c400b9946405289fc5f6b57a76d08667b50 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com> From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 3 Dec 2015 14:26:19 +0100 Date: Thu, 1 Sep 2016 17:04:06 +0300
Subject: [PATCH] Workarounds for SELinux execmem violations in cryptography Subject: [PATCH] Workarounds for SELinux execmem violations in cryptography
ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
pki.client no longer tries to use PyOpenSSL instead of Python's ssl pki.client no longer tries to use PyOpenSSL instead of Python's ssl
module. module.
@ -12,38 +11,18 @@ python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem). in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial. enough to trigger the SELinux denial.
A hack in wsgi.py prevents the import by raising an ImportError. A hack in wsgi.py prevents the import by raising an ImportError.
--- ---
freeipa.spec.in | 2 ++
install/share/wsgi.py | 14 ++++++++++++++ install/share/wsgi.py | 14 ++++++++++++++
ipaserver/dcerpc.py | 32 +++++++++++++++++++++++--------- 1 file changed, 14 insertions(+)
3 files changed, 39 insertions(+), 9 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 542dc28..cd05709 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -72,6 +72,7 @@ BuildRequires: python-ldap
BuildRequires: python-setuptools
BuildRequires: python-nss
BuildRequires: python-cryptography >= 0.9
+BuildRequires: m2crypto
BuildRequires: python-netaddr
BuildRequires: python-gssapi >= 1.1.2
BuildRequires: python-rhsm
@@ -483,6 +484,7 @@ Requires: keyutils
Requires: pyOpenSSL
Requires: python-nss >= 0.16
Requires: python-cryptography >= 0.9
+Requires: m2crypto
Requires: python-lxml
Requires: python-netaddr
Requires: python-libipa_hbac
diff --git a/install/share/wsgi.py b/install/share/wsgi.py diff --git a/install/share/wsgi.py b/install/share/wsgi.py
index ee9311e..ba42c34 100644 index ee9311e..bb201fa 100644
--- a/install/share/wsgi.py --- a/install/share/wsgi.py
+++ b/install/share/wsgi.py +++ b/install/share/wsgi.py
@@ -23,6 +23,20 @@ @@ -23,6 +23,20 @@
@ -67,63 +46,6 @@ index ee9311e..ba42c34 100644
from ipalib import api from ipalib import api
from ipalib.config import Env from ipalib.config import Env
from ipalib.constants import DEFAULT_CONFIG from ipalib.constants import DEFAULT_CONFIG
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index bb58945..63df946 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -42,8 +42,6 @@ from samba.ndr import ndr_pack, ndr_print
from samba import net
import samba
import random
-from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
-from cryptography.hazmat.backends import default_backend
try:
from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401
except ImportError:
@@ -65,6 +63,29 @@ if six.PY3:
unicode = str
long = int
+# Some versions of python-cryptography depend on python-cffi callbacks which
+# are built on top of libffi's closure API. The closures require writeable
+# and executable anonymous memory mappings, which violate SELinux execmem
+# rules such as 'httpd_execmem'. Prefer M2Crypto on Python 2.
+try:
+ from M2Crypto import RC4
+except ImportError:
+ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
+ from cryptography.hazmat.backends import default_backend
+
+ def arcfour_encrypt(key, data):
+ """RC4 with python-cryptography"""
+ algorithm = algorithms.ARC4(key)
+ cipher = Cipher(algorithm, mode=None, backend=default_backend())
+ encryptor = cipher.encryptor()
+ return encryptor.update(data)
+else:
+ def arcfour_encrypt(key, data):
+ """RC4 with M2Crypto"""
+ c = RC4.RC4(key)
+ return c.update(data)
+
+
__doc__ = _("""
Classes to manage trust joins using DCE-RPC calls
@@ -135,13 +156,6 @@ def assess_dcerpc_exception(num=None,message=None):
return errors.RemoteRetrieveError(reason=reason)
-def arcfour_encrypt(key, data):
- algorithm = algorithms.ARC4(key)
- cipher = Cipher(algorithm, mode=None, backend=default_backend())
- encryptor = cipher.encryptor()
- return encryptor.update(data)
-
-
class ExtendedDNControl(LDAPControl):
# This class attempts to implement LDAP control that would work
# with both python-ldap 2.4.x and 2.3.x, thus there is mix of properties
-- --
2.5.0 2.7.4