From a33b200323a66a0345aa06d5ff5557707a02aab4 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Mon, 7 Dec 2015 19:03:41 +0100 Subject: [PATCH] Workarounds for SELinux execmem violations in cryptography ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's pki.client no longer tries to use PyOpenSSL instead of Python's ssl module. Some dependencies like Dogtag's pki.client library and custodia use python-requsts to make HTTPS connection. python-requests prefers PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top of python-cryptography which trigger a execmem SELinux violation in the context of Apache HTTPD (httpd_execmem). When requests is imported, it always tries to import pyopenssl glue code from urllib3's contrib directory. The import of PyOpenSSL is enough to trigger the SELinux denial. A hack in wsgi.py prevents the import by raising an ImportError. --- ...SELinux-execmem-violations-in-crypto.patch | 47 +++++++++++++++++++ freeipa.spec | 7 ++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch diff --git a/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch b/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch new file mode 100644 index 0000000..16dd86b --- /dev/null +++ b/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch @@ -0,0 +1,47 @@ +From ef68483bb3c9e328e3d65e0c02327cdb5ac9859a Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Tue, 8 Dec 2015 11:18:22 +0100 +Subject: [PATCH 26/26] Workarounds for SELinux execmem violations in + cryptography + +Some dependencies like Dogtag's pki.client library and custodia use +python-requsts to make HTTPS connection. python-requests prefers +PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top +of python-cryptography which trigger a execmem SELinux violation +in the context of Apache HTTPD (httpd_execmem). +When requests is imported, it always tries to import pyopenssl glue +code from urllib3's contrib directory. The import of PyOpenSSL is +enough to trigger the SELinux denial. +A hack in wsgi.py prevents the import by raising an ImportError. +--- + install/share/wsgi.py | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/install/share/wsgi.py b/install/share/wsgi.py +index 9f7d3f487dbe07f60b748cfd48d533495de99f2c..ffeb3bb6caea62c82d19e4e772b47efa43cc715f 100644 +--- a/install/share/wsgi.py ++++ b/install/share/wsgi.py +@@ -23,6 +23,20 @@ + """ + WSGI appliction for IPA server. + """ ++import sys ++ ++# Some dependencies like Dogtag's pki.client library and custodia use ++# python-requsts to make HTTPS connection. python-requests prefers ++# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top ++# of python-cryptography which trigger a execmem SELinux violation ++# in the context of Apache HTTPD (httpd_execmem). ++# When requests is imported, it always tries to import pyopenssl glue ++# code from urllib3's contrib directory. The import of PyOpenSSL is ++# enough to trigger the SELinux denial. ++# This hack prevents the import by raising an ImportError. ++ ++sys.modules['request.packages.urllib3.contrib.pyopenssl'] = None ++ + from ipalib import api + from ipalib.config import Env + from ipalib.constants import DEFAULT_CONFIG +-- +2.5.0 + diff --git a/freeipa.spec b/freeipa.spec index 434c02e..ed4c676 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -30,7 +30,7 @@ Name: freeipa Version: %{VERSION} -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -39,6 +39,8 @@ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch + %if ! %{ONLY_CLIENT} BuildRequires: 389-ds-base-devel >= 1.3.4.0 BuildRequires: svrcore-devel @@ -1017,6 +1019,9 @@ fi %endif # ONLY_CLIENT %changelog +* Mon Dec 07 2015 Petr Vobornik - 4.2.3-2 +- Workarounds for SELinux execmem violations in cryptography + * Mon Nov 02 2015 Petr Vobornik - 4.2.3-1 - Update to upstream 4.2.3 - see http://www.freeipa.org/page/Releases/4.2.3 - fix #1274905