diff --git a/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch b/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch new file mode 100644 index 0000000..16dd86b --- /dev/null +++ b/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch @@ -0,0 +1,47 @@ +From ef68483bb3c9e328e3d65e0c02327cdb5ac9859a Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Tue, 8 Dec 2015 11:18:22 +0100 +Subject: [PATCH 26/26] Workarounds for SELinux execmem violations in + cryptography + +Some dependencies like Dogtag's pki.client library and custodia use +python-requsts to make HTTPS connection. python-requests prefers +PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top +of python-cryptography which trigger a execmem SELinux violation +in the context of Apache HTTPD (httpd_execmem). +When requests is imported, it always tries to import pyopenssl glue +code from urllib3's contrib directory. The import of PyOpenSSL is +enough to trigger the SELinux denial. +A hack in wsgi.py prevents the import by raising an ImportError. +--- + install/share/wsgi.py | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/install/share/wsgi.py b/install/share/wsgi.py +index 9f7d3f487dbe07f60b748cfd48d533495de99f2c..ffeb3bb6caea62c82d19e4e772b47efa43cc715f 100644 +--- a/install/share/wsgi.py ++++ b/install/share/wsgi.py +@@ -23,6 +23,20 @@ + """ + WSGI appliction for IPA server. + """ ++import sys ++ ++# Some dependencies like Dogtag's pki.client library and custodia use ++# python-requsts to make HTTPS connection. python-requests prefers ++# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top ++# of python-cryptography which trigger a execmem SELinux violation ++# in the context of Apache HTTPD (httpd_execmem). ++# When requests is imported, it always tries to import pyopenssl glue ++# code from urllib3's contrib directory. The import of PyOpenSSL is ++# enough to trigger the SELinux denial. ++# This hack prevents the import by raising an ImportError. ++ ++sys.modules['request.packages.urllib3.contrib.pyopenssl'] = None ++ + from ipalib import api + from ipalib.config import Env + from ipalib.constants import DEFAULT_CONFIG +-- +2.5.0 + diff --git a/freeipa.spec b/freeipa.spec index 434c02e..ed4c676 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -30,7 +30,7 @@ Name: freeipa Version: %{VERSION} -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -39,6 +39,8 @@ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch + %if ! %{ONLY_CLIENT} BuildRequires: 389-ds-base-devel >= 1.3.4.0 BuildRequires: svrcore-devel @@ -1017,6 +1019,9 @@ fi %endif # ONLY_CLIENT %changelog +* Mon Dec 07 2015 Petr Vobornik - 4.2.3-2 +- Workarounds for SELinux execmem violations in cryptography + * Mon Nov 02 2015 Petr Vobornik - 4.2.3-1 - Update to upstream 4.2.3 - see http://www.freeipa.org/page/Releases/4.2.3 - fix #1274905