rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

4.6.1-4 Update execmem patch

Browse Source 
Update workaround patch to prevent SELinux execmem AVC (#1491508)

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Rob Crittenden 2017-10-17 10:58:10 +02:00
parent cca65702ef
commit b993dadc84
2 changed files with 23 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch → 0001-Block-PyOpenSSL-to-prevent-SELinux-execmem-in-wsgi.patch
View File

@ -1,10 +1,7 @@
From 18692deb9a1ceffe5b4bc5c1b470f7c3e6159a9d Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Mon, 4 Sep 2017 13:46:47 +0200
Subject: [PATCH] Workarounds for SELinux execmem violations in cryptography
pki.client no longer tries to use PyOpenSSL instead of Python's ssl
module.
From 7589f2c71de95807dbdb64a845a8dc90e7542ee6 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 17 Oct 2017 09:40:05 +0200
Subject: [PATCH] Block PyOpenSSL to prevent SELinux execmem in wsgi
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
@ -16,18 +13,22 @@ When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
A hack in wsgi.py prevents the import by raising an ImportError.
Block any import of PyOpenSSL's SSL module in wsgi by raising an
ImportError. The block is compatible with new python-requests with
unbundled urllib3, too.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Fixes: FreeIPA #5442
Fixes: RHBZ#1491508
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
install/share/wsgi.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
install/share/wsgi.py | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/install/share/wsgi.py b/install/share/wsgi.py
index e263b8117fe7e6817cb0b6d87c6e6b0c34a9f5e8..fed11572308b9dbefdf1fa2e7f72395230e9dff8 100644
index e263b81..e5cabc0 100644
--- a/install/share/wsgi.py
+++ b/install/share/wsgi.py
@@ -25,6 +25,19 @@ WSGI appliction for IPA server.
@@ -25,6 +25,18 @@ WSGI appliction for IPA server.
"""
import logging
import os
@ -41,12 +42,11 @@ index e263b8117fe7e6817cb0b6d87c6e6b0c34a9f5e8..fed11572308b9dbefdf1fa2e7f723952
+# When requests is imported, it always tries to import pyopenssl glue
+# code from urllib3's contrib directory. The import of PyOpenSSL is
+# enough to trigger the SELinux denial.
+# This hack prevents the import by raising an ImportError.
+
+sys.modules['requests.packages.urllib3.contrib.pyopenssl'] = None
+# Block any import of PyOpenSSL's SSL module by raising an ImportError
+sys.modules['OpenSSL.SSL'] = None
from ipaplatform.paths import paths
from ipalib import api
--
2.13.3
2.9.5

8
freeipa.spec
View File

@ -68,7 +68,7 @@
Name: freeipa
Version: %{VERSION}
Release: 3%{?dist}
Release: 4%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@ -78,7 +78,8 @@ Source0: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz
Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
# https://github.com/freeipa/freeipa/pull/1158
Patch0001: 0001-Block-PyOpenSSL-to-prevent-SELinux-execmem-in-wsgi.patch
# https://github.com/freeipa/freeipa/pull/1137
Patch0002: 0002-ipa-kdb-support-KDB-DAL-version-7.0.patch
# https://github.com/freeipa/freeipa/pull/1156
@ -1715,6 +1716,9 @@ fi
%endif # with_ipatests
%changelog
* Tue Oct 17 2017 Rob Crittenden <rcritten@redhat.com> - 4.6.1-4
- Update workaround patch to prevent SELinux execmem AVC (#1491508)
* Mon Oct 16 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.1-3
- Another attempt at fix for bug #1491053