Update SELinux execmem workaround
dcerpc crypto changes were merged upstream
This commit is contained in:
Alexander Bokovoy
parent
64545c1505
commit
5f5010dd71
@ -1,9 +1,8 @@
|
||||
From 7d34dd15aa0365b1cd9d4bac9646aa4fa883f876 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <cheimes@redhat.com>
|
||||
Date: Thu, 3 Dec 2015 14:26:19 +0100
|
||||
From 3c106c400b9946405289fc5f6b57a76d08667b50 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Thu, 1 Sep 2016 17:04:06 +0300
|
||||
Subject: [PATCH] Workarounds for SELinux execmem violations in cryptography
|
||||
|
||||
ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
|
||||
pki.client no longer tries to use PyOpenSSL instead of Python's ssl
|
||||
module.
|
||||
|
||||
@ -12,38 +11,18 @@ python-requsts to make HTTPS connection. python-requests prefers
|
||||
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
|
||||
of python-cryptography which trigger a execmem SELinux violation
|
||||
in the context of Apache HTTPD (httpd_execmem).
|
||||
|
||||
When requests is imported, it always tries to import pyopenssl glue
|
||||
code from urllib3's contrib directory. The import of PyOpenSSL is
|
||||
enough to trigger the SELinux denial.
|
||||
|
||||
A hack in wsgi.py prevents the import by raising an ImportError.
|
||||
---
|
||||
freeipa.spec.in | 2 ++
|
||||
install/share/wsgi.py | 14 ++++++++++++++
|
||||
ipaserver/dcerpc.py | 32 +++++++++++++++++++++++---------
|
||||
3 files changed, 39 insertions(+), 9 deletions(-)
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||
index 542dc28..cd05709 100644
|
||||
--- a/freeipa.spec.in
|
||||
+++ b/freeipa.spec.in
|
||||
@@ -72,6 +72,7 @@ BuildRequires: python-ldap
|
||||
BuildRequires: python-setuptools
|
||||
BuildRequires: python-nss
|
||||
BuildRequires: python-cryptography >= 0.9
|
||||
+BuildRequires: m2crypto
|
||||
BuildRequires: python-netaddr
|
||||
BuildRequires: python-gssapi >= 1.1.2
|
||||
BuildRequires: python-rhsm
|
||||
@@ -483,6 +484,7 @@ Requires: keyutils
|
||||
Requires: pyOpenSSL
|
||||
Requires: python-nss >= 0.16
|
||||
Requires: python-cryptography >= 0.9
|
||||
+Requires: m2crypto
|
||||
Requires: python-lxml
|
||||
Requires: python-netaddr
|
||||
Requires: python-libipa_hbac
|
||||
diff --git a/install/share/wsgi.py b/install/share/wsgi.py
|
||||
index ee9311e..ba42c34 100644
|
||||
index ee9311e..bb201fa 100644
|
||||
--- a/install/share/wsgi.py
|
||||
+++ b/install/share/wsgi.py
|
||||
@@ -23,6 +23,20 @@
|
||||
@ -67,63 +46,6 @@ index ee9311e..ba42c34 100644
|
||||
from ipalib import api
|
||||
from ipalib.config import Env
|
||||
from ipalib.constants import DEFAULT_CONFIG
|
||||
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
|
||||
index bb58945..63df946 100644
|
||||
--- a/ipaserver/dcerpc.py
|
||||
+++ b/ipaserver/dcerpc.py
|
||||
@@ -42,8 +42,6 @@ from samba.ndr import ndr_pack, ndr_print
|
||||
from samba import net
|
||||
import samba
|
||||
import random
|
||||
-from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
|
||||
-from cryptography.hazmat.backends import default_backend
|
||||
try:
|
||||
from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401
|
||||
except ImportError:
|
||||
@@ -65,6 +63,29 @@ if six.PY3:
|
||||
unicode = str
|
||||
long = int
|
||||
|
||||
+# Some versions of python-cryptography depend on python-cffi callbacks which
|
||||
+# are built on top of libffi's closure API. The closures require writeable
|
||||
+# and executable anonymous memory mappings, which violate SELinux execmem
|
||||
+# rules such as 'httpd_execmem'. Prefer M2Crypto on Python 2.
|
||||
+try:
|
||||
+ from M2Crypto import RC4
|
||||
+except ImportError:
|
||||
+ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
|
||||
+ from cryptography.hazmat.backends import default_backend
|
||||
+
|
||||
+ def arcfour_encrypt(key, data):
|
||||
+ """RC4 with python-cryptography"""
|
||||
+ algorithm = algorithms.ARC4(key)
|
||||
+ cipher = Cipher(algorithm, mode=None, backend=default_backend())
|
||||
+ encryptor = cipher.encryptor()
|
||||
+ return encryptor.update(data)
|
||||
+else:
|
||||
+ def arcfour_encrypt(key, data):
|
||||
+ """RC4 with M2Crypto"""
|
||||
+ c = RC4.RC4(key)
|
||||
+ return c.update(data)
|
||||
+
|
||||
+
|
||||
__doc__ = _("""
|
||||
Classes to manage trust joins using DCE-RPC calls
|
||||
|
||||
@@ -135,13 +156,6 @@ def assess_dcerpc_exception(num=None,message=None):
|
||||
return errors.RemoteRetrieveError(reason=reason)
|
||||
|
||||
|
||||
-def arcfour_encrypt(key, data):
|
||||
- algorithm = algorithms.ARC4(key)
|
||||
- cipher = Cipher(algorithm, mode=None, backend=default_backend())
|
||||
- encryptor = cipher.encryptor()
|
||||
- return encryptor.update(data)
|
||||
-
|
||||
-
|
||||
class ExtendedDNControl(LDAPControl):
|
||||
# This class attempts to implement LDAP control that would work
|
||||
# with both python-ldap 2.4.x and 2.3.x, thus there is mix of properties
|
||||
--
|
||||
2.5.0
|
||||
2.7.4
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user