Workarounds for SELinux execmem violations in cryptography

ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
pki.client no longer tries to use PyOpenSSL instead of Python's ssl
module.

Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
A hack in wsgi.py prevents the import by raising an ImportError.
This commit is contained in:
Petr Vobornik 2015-12-07 19:03:41 +01:00
parent efcb307b47
commit a33b200323
2 changed files with 53 additions and 1 deletions

View File

@ -0,0 +1,47 @@
From ef68483bb3c9e328e3d65e0c02327cdb5ac9859a Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 8 Dec 2015 11:18:22 +0100
Subject: [PATCH 26/26] Workarounds for SELinux execmem violations in
cryptography
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
A hack in wsgi.py prevents the import by raising an ImportError.
---
install/share/wsgi.py | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/install/share/wsgi.py b/install/share/wsgi.py
index 9f7d3f487dbe07f60b748cfd48d533495de99f2c..ffeb3bb6caea62c82d19e4e772b47efa43cc715f 100644
--- a/install/share/wsgi.py
+++ b/install/share/wsgi.py
@@ -23,6 +23,20 @@
"""
WSGI appliction for IPA server.
"""
+import sys
+
+# Some dependencies like Dogtag's pki.client library and custodia use
+# python-requsts to make HTTPS connection. python-requests prefers
+# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
+# of python-cryptography which trigger a execmem SELinux violation
+# in the context of Apache HTTPD (httpd_execmem).
+# When requests is imported, it always tries to import pyopenssl glue
+# code from urllib3's contrib directory. The import of PyOpenSSL is
+# enough to trigger the SELinux denial.
+# This hack prevents the import by raising an ImportError.
+
+sys.modules['request.packages.urllib3.contrib.pyopenssl'] = None
+
from ipalib import api
from ipalib.config import Env
from ipalib.constants import DEFAULT_CONFIG
--
2.5.0

View File

@ -30,7 +30,7 @@
Name: freeipa Name: freeipa
Version: %{VERSION} Version: %{VERSION}
Release: 1%{?dist} Release: 2%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
Group: System Environment/Base Group: System Environment/Base
@ -39,6 +39,8 @@ URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
%if ! %{ONLY_CLIENT} %if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.4.0 BuildRequires: 389-ds-base-devel >= 1.3.4.0
BuildRequires: svrcore-devel BuildRequires: svrcore-devel
@ -1017,6 +1019,9 @@ fi
%endif # ONLY_CLIENT %endif # ONLY_CLIENT
%changelog %changelog
* Mon Dec 07 2015 Petr Vobornik <pvoborni@redhat.com> - 4.2.3-2
- Workarounds for SELinux execmem violations in cryptography
* Mon Nov 02 2015 Petr Vobornik <pvoborni@redhat.com> - 4.2.3-1 * Mon Nov 02 2015 Petr Vobornik <pvoborni@redhat.com> - 4.2.3-1
- Update to upstream 4.2.3 - see http://www.freeipa.org/page/Releases/4.2.3 - Update to upstream 4.2.3 - see http://www.freeipa.org/page/Releases/4.2.3
- fix #1274905 - fix #1274905