Workarounds for SELinux execmem violations in crypto

0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch

@@ -1,9 +1,13 @@
-From ef68483bb3c9e328e3d65e0c02327cdb5ac9859a Mon Sep 17 00:00:00 2001
+From 5ac052f085c74f058703c5da29d59849c11e571f Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
-Date: Tue, 8 Dec 2015 11:18:22 +0100
+Date: Thu, 3 Dec 2015 14:26:19 +0100
 Subject: [PATCH 26/26] Workarounds for SELinux execmem violations in
  cryptography
 
+ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
+pki.client no longer tries to use PyOpenSSL instead of Python's ssl
+module.
+
 Some dependencies like Dogtag's pki.client library and custodia use
 python-requsts to make HTTPS connection. python-requests prefers
 PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
@@ -14,11 +18,33 @@ code from urllib3's contrib directory. The import of PyOpenSSL is
 enough to trigger the SELinux denial.
 A hack in wsgi.py prevents the import by raising an ImportError.
 ---
+ freeipa.spec.in       |  2 ++
  install/share/wsgi.py | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
+ ipaserver/dcerpc.py   | 32 +++++++++++++++++++++++---------
+ 3 files changed, 39 insertions(+), 9 deletions(-)
 
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index a60d9b63f363773b6ca1b0969fa56b369a94092f..4fe8a911f0ae08882287bfea262064f5a2386ec1 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -66,6 +66,7 @@ BuildRequires:  python-ldap
+ BuildRequires:  python-setuptools
+ BuildRequires:  python-nss
+ BuildRequires:  python-cryptography
++BuildRequires:  m2crypto
+ BuildRequires:  python-netaddr
+ BuildRequires:  python-gssapi >= 1.1.2
+ BuildRequires:  python-rhsm
+@@ -322,6 +323,7 @@ Requires: keyutils
+ Requires: pyOpenSSL
+ Requires: python-nss >= 0.16
+ Requires: python-cryptography
++Requires: m2crypto
+ Requires: python-lxml
+ Requires: python-netaddr
+ Requires: python-libipa_hbac
 diff --git a/install/share/wsgi.py b/install/share/wsgi.py
-index 9f7d3f487dbe07f60b748cfd48d533495de99f2c..ffeb3bb6caea62c82d19e4e772b47efa43cc715f 100644
+index ee9311e4eab8b95b5143170469cac7dc0b8b8e5e..ba42c343228da21f8e2ae9ea717450bada93359d 100644
 --- a/install/share/wsgi.py
 +++ b/install/share/wsgi.py
 @@ -23,6 +23,20 @@
@@ -42,6 +68,63 @@ index 9f7d3f487dbe07f60b748cfd48d533495de99f2c..ffeb3bb6caea62c82d19e4e772b47efa
  from ipalib import api
  from ipalib.config import Env
  from ipalib.constants import DEFAULT_CONFIG
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index 2e412861ebc265a9b07c8634068151181a3e9b9e..15d8e192e397868a0bf623d8a23c4a2489126bcb 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -42,8 +42,6 @@ from samba.ndr import ndr_pack, ndr_print
+ from samba import net
+ import samba
+ import random
+-from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
+-from cryptography.hazmat.backends import default_backend
+ try:
+     from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401
+ except ImportError:
+@@ -65,6 +63,29 @@ if six.PY3:
+     unicode = str
+     long = int
+ 
++# Some versions of python-cryptography depend on python-cffi callbacks which
++# are built on top of libffi's closure API. The closures require writeable
++# and executable anonymous memory mappings, which violate SELinux execmem
++# rules such as 'httpd_execmem'. Prefer M2Crypto on Python 2.
++try:
++    from M2Crypto import RC4
++except ImportError:
++    from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
++    from cryptography.hazmat.backends import default_backend
++
++    def arcfour_encrypt(key, data):
++        """RC4 with python-cryptography"""
++        algorithm = algorithms.ARC4(key)
++        cipher = Cipher(algorithm, mode=None, backend=default_backend())
++        encryptor = cipher.encryptor()
++        return encryptor.update(data)
++else:
++    def arcfour_encrypt(key, data):
++        """RC4 with M2Crypto"""
++        c = RC4.RC4(key)
++        return c.update(data)
++
++
+ __doc__ = _("""
+ Classes to manage trust joins using DCE-RPC calls
+ 
+@@ -135,13 +156,6 @@ def assess_dcerpc_exception(num=None,message=None):
+     return errors.RemoteRetrieveError(reason=reason)
+ 
+ 
+-def arcfour_encrypt(key, data):
+-    algorithm = algorithms.ARC4(key)
+-    cipher = Cipher(algorithm, mode=None, backend=default_backend())
+-    encryptor = cipher.encryptor()
+-    return encryptor.update(data)
+-
+-
+ class ExtendedDNControl(LDAPControl):
+     # This class attempts to implement LDAP control that would work
+     # with both python-ldap 2.4.x and 2.3.x, thus there is mix of properties
 -- 
-2.5.0
+2.4.3
 

freeipa.spec

@@ -45,6 +45,8 @@ URL:            http://www.freeipa.org/
 Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
+Patch0001:      0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
+
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.4.4
 BuildRequires:  svrcore-devel
@@ -76,6 +78,7 @@ BuildRequires:  python-ldap
 BuildRequires:  python-setuptools
 BuildRequires:  python-nss
 BuildRequires:  python-cryptography
+BuildRequires:  m2crypto
 BuildRequires:  python-netaddr
 BuildRequires:  python-gssapi >= 1.1.2
 BuildRequires:  python-rhsm
@@ -461,6 +464,7 @@ Requires: keyutils
 Requires: pyOpenSSL
 Requires: python-nss >= 0.16
 Requires: python-cryptography
+Requires: m2crypto
 Requires: python-lxml
 Requires: python-netaddr
 Requires: python-libipa_hbac