Workarounds for SELinux execmem violations in cryptography

ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
pki.client no longer tries to use PyOpenSSL instead of Python's ssl
module.

Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
A hack in wsgi.py prevents the import by raising an ImportError.

0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch

@@ -0,0 +1,47 @@
+From ef68483bb3c9e328e3d65e0c02327cdb5ac9859a Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 8 Dec 2015 11:18:22 +0100
+Subject: [PATCH 26/26] Workarounds for SELinux execmem violations in
+ cryptography
+
+Some dependencies like Dogtag's pki.client library and custodia use
+python-requsts to make HTTPS connection. python-requests prefers
+PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
+of python-cryptography which trigger a execmem SELinux violation
+in the context of Apache HTTPD (httpd_execmem).
+When requests is imported, it always tries to import pyopenssl glue
+code from urllib3's contrib directory. The import of PyOpenSSL is
+enough to trigger the SELinux denial.
+A hack in wsgi.py prevents the import by raising an ImportError.
+---
+ install/share/wsgi.py | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/install/share/wsgi.py b/install/share/wsgi.py
+index 9f7d3f487dbe07f60b748cfd48d533495de99f2c..ffeb3bb6caea62c82d19e4e772b47efa43cc715f 100644
+--- a/install/share/wsgi.py
++++ b/install/share/wsgi.py
+@@ -23,6 +23,20 @@
+ """
+ WSGI appliction for IPA server.
+ """
++import sys
++
++# Some dependencies like Dogtag's pki.client library and custodia use
++# python-requsts to make HTTPS connection. python-requests prefers
++# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
++# of python-cryptography which trigger a execmem SELinux violation
++# in the context of Apache HTTPD (httpd_execmem).
++# When requests is imported, it always tries to import pyopenssl glue
++# code from urllib3's contrib directory. The import of PyOpenSSL is
++# enough to trigger the SELinux denial.
++# This hack prevents the import by raising an ImportError.
++
++sys.modules['request.packages.urllib3.contrib.pyopenssl'] = None
++
+ from ipalib import api
+ from ipalib.config import Env
+ from ipalib.constants import DEFAULT_CONFIG
+-- 
+2.5.0
+

freeipa.spec

@@ -30,7 +30,7 @@
 
 Name:           freeipa
 Version:        %{VERSION}
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -39,6 +39,8 @@ URL:            http://www.freeipa.org/
 Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
+Patch0001:      0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
+
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.4.0
 BuildRequires:  svrcore-devel
@@ -1017,6 +1019,9 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
+* Mon Dec 07 2015 Petr Vobornik <pvoborni@redhat.com> - 4.2.3-2
+- Workarounds for SELinux execmem violations in cryptography
+
 * Mon Nov 02 2015 Petr Vobornik <pvoborni@redhat.com> - 4.2.3-1
 - Update to upstream 4.2.3 - see http://www.freeipa.org/page/Releases/4.2.3
 - fix #1274905