diff --git a/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch b/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch index 16dd86b..063e414 100644 --- a/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch +++ b/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch @@ -1,9 +1,13 @@ -From ef68483bb3c9e328e3d65e0c02327cdb5ac9859a Mon Sep 17 00:00:00 2001 +From 5ac052f085c74f058703c5da29d59849c11e571f Mon Sep 17 00:00:00 2001 From: Christian Heimes -Date: Tue, 8 Dec 2015 11:18:22 +0100 +Date: Thu, 3 Dec 2015 14:26:19 +0100 Subject: [PATCH 26/26] Workarounds for SELinux execmem violations in cryptography +ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's +pki.client no longer tries to use PyOpenSSL instead of Python's ssl +module. + Some dependencies like Dogtag's pki.client library and custodia use python-requsts to make HTTPS connection. python-requests prefers PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top @@ -14,11 +18,33 @@ code from urllib3's contrib directory. The import of PyOpenSSL is enough to trigger the SELinux denial. A hack in wsgi.py prevents the import by raising an ImportError. --- + freeipa.spec.in | 2 ++ install/share/wsgi.py | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) + ipaserver/dcerpc.py | 32 +++++++++++++++++++++++--------- + 3 files changed, 39 insertions(+), 9 deletions(-) +diff --git a/freeipa.spec.in b/freeipa.spec.in +index a60d9b63f363773b6ca1b0969fa56b369a94092f..4fe8a911f0ae08882287bfea262064f5a2386ec1 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -66,6 +66,7 @@ BuildRequires: python-ldap + BuildRequires: python-setuptools + BuildRequires: python-nss + BuildRequires: python-cryptography ++BuildRequires: m2crypto + BuildRequires: python-netaddr + BuildRequires: python-gssapi >= 1.1.2 + BuildRequires: python-rhsm +@@ -322,6 +323,7 @@ Requires: keyutils + Requires: pyOpenSSL + Requires: python-nss >= 0.16 + Requires: python-cryptography ++Requires: m2crypto + Requires: python-lxml + Requires: python-netaddr + Requires: python-libipa_hbac diff --git a/install/share/wsgi.py b/install/share/wsgi.py -index 9f7d3f487dbe07f60b748cfd48d533495de99f2c..ffeb3bb6caea62c82d19e4e772b47efa43cc715f 100644 +index ee9311e4eab8b95b5143170469cac7dc0b8b8e5e..ba42c343228da21f8e2ae9ea717450bada93359d 100644 --- a/install/share/wsgi.py +++ b/install/share/wsgi.py @@ -23,6 +23,20 @@ @@ -42,6 +68,63 @@ index 9f7d3f487dbe07f60b748cfd48d533495de99f2c..ffeb3bb6caea62c82d19e4e772b47efa from ipalib import api from ipalib.config import Env from ipalib.constants import DEFAULT_CONFIG +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index 2e412861ebc265a9b07c8634068151181a3e9b9e..15d8e192e397868a0bf623d8a23c4a2489126bcb 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -42,8 +42,6 @@ from samba.ndr import ndr_pack, ndr_print + from samba import net + import samba + import random +-from cryptography.hazmat.primitives.ciphers import Cipher, algorithms +-from cryptography.hazmat.backends import default_backend + try: + from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401 + except ImportError: +@@ -65,6 +63,29 @@ if six.PY3: + unicode = str + long = int + ++# Some versions of python-cryptography depend on python-cffi callbacks which ++# are built on top of libffi's closure API. The closures require writeable ++# and executable anonymous memory mappings, which violate SELinux execmem ++# rules such as 'httpd_execmem'. Prefer M2Crypto on Python 2. ++try: ++ from M2Crypto import RC4 ++except ImportError: ++ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms ++ from cryptography.hazmat.backends import default_backend ++ ++ def arcfour_encrypt(key, data): ++ """RC4 with python-cryptography""" ++ algorithm = algorithms.ARC4(key) ++ cipher = Cipher(algorithm, mode=None, backend=default_backend()) ++ encryptor = cipher.encryptor() ++ return encryptor.update(data) ++else: ++ def arcfour_encrypt(key, data): ++ """RC4 with M2Crypto""" ++ c = RC4.RC4(key) ++ return c.update(data) ++ ++ + __doc__ = _(""" + Classes to manage trust joins using DCE-RPC calls + +@@ -135,13 +156,6 @@ def assess_dcerpc_exception(num=None,message=None): + return errors.RemoteRetrieveError(reason=reason) + + +-def arcfour_encrypt(key, data): +- algorithm = algorithms.ARC4(key) +- cipher = Cipher(algorithm, mode=None, backend=default_backend()) +- encryptor = cipher.encryptor() +- return encryptor.update(data) +- +- + class ExtendedDNControl(LDAPControl): + # This class attempts to implement LDAP control that would work + # with both python-ldap 2.4.x and 2.3.x, thus there is mix of properties -- -2.5.0 +2.4.3 diff --git a/freeipa.spec b/freeipa.spec index d4906c6..9c32876 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -45,6 +45,8 @@ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch + %if ! %{ONLY_CLIENT} BuildRequires: 389-ds-base-devel >= 1.3.4.4 BuildRequires: svrcore-devel @@ -76,6 +78,7 @@ BuildRequires: python-ldap BuildRequires: python-setuptools BuildRequires: python-nss BuildRequires: python-cryptography +BuildRequires: m2crypto BuildRequires: python-netaddr BuildRequires: python-gssapi >= 1.1.2 BuildRequires: python-rhsm @@ -461,6 +464,7 @@ Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 Requires: python-cryptography +Requires: m2crypto Requires: python-lxml Requires: python-netaddr Requires: python-libipa_hbac