diff --git a/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch b/0001-Block-PyOpenSSL-to-prevent-SELinux-execmem-in-wsgi.patch similarity index 61% rename from 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch rename to 0001-Block-PyOpenSSL-to-prevent-SELinux-execmem-in-wsgi.patch index 65bfcc1..072a9d1 100644 --- a/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch +++ b/0001-Block-PyOpenSSL-to-prevent-SELinux-execmem-in-wsgi.patch @@ -1,10 +1,7 @@ -From 18692deb9a1ceffe5b4bc5c1b470f7c3e6159a9d Mon Sep 17 00:00:00 2001 -From: Tomas Krizek -Date: Mon, 4 Sep 2017 13:46:47 +0200 -Subject: [PATCH] Workarounds for SELinux execmem violations in cryptography - -pki.client no longer tries to use PyOpenSSL instead of Python's ssl -module. +From 7589f2c71de95807dbdb64a845a8dc90e7542ee6 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Tue, 17 Oct 2017 09:40:05 +0200 +Subject: [PATCH] Block PyOpenSSL to prevent SELinux execmem in wsgi Some dependencies like Dogtag's pki.client library and custodia use python-requsts to make HTTPS connection. python-requests prefers @@ -16,18 +13,22 @@ When requests is imported, it always tries to import pyopenssl glue code from urllib3's contrib directory. The import of PyOpenSSL is enough to trigger the SELinux denial. -A hack in wsgi.py prevents the import by raising an ImportError. +Block any import of PyOpenSSL's SSL module in wsgi by raising an +ImportError. The block is compatible with new python-requests with +unbundled urllib3, too. -Signed-off-by: Tomas Krizek +Fixes: FreeIPA #5442 +Fixes: RHBZ#1491508 +Signed-off-by: Christian Heimes --- - install/share/wsgi.py | 13 +++++++++++++ - 1 file changed, 13 insertions(+) + install/share/wsgi.py | 12 ++++++++++++ + 1 file changed, 12 insertions(+) diff --git a/install/share/wsgi.py b/install/share/wsgi.py -index e263b8117fe7e6817cb0b6d87c6e6b0c34a9f5e8..fed11572308b9dbefdf1fa2e7f72395230e9dff8 100644 +index e263b81..e5cabc0 100644 --- a/install/share/wsgi.py +++ b/install/share/wsgi.py -@@ -25,6 +25,19 @@ WSGI appliction for IPA server. +@@ -25,6 +25,18 @@ WSGI appliction for IPA server. """ import logging import os @@ -41,12 +42,11 @@ index e263b8117fe7e6817cb0b6d87c6e6b0c34a9f5e8..fed11572308b9dbefdf1fa2e7f723952 +# When requests is imported, it always tries to import pyopenssl glue +# code from urllib3's contrib directory. The import of PyOpenSSL is +# enough to trigger the SELinux denial. -+# This hack prevents the import by raising an ImportError. -+ -+sys.modules['requests.packages.urllib3.contrib.pyopenssl'] = None ++# Block any import of PyOpenSSL's SSL module by raising an ImportError ++sys.modules['OpenSSL.SSL'] = None from ipaplatform.paths import paths from ipalib import api -- -2.13.3 +2.9.5 diff --git a/freeipa.spec b/freeipa.spec index ec35bc2..b0ef1db 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -68,7 +68,7 @@ Name: freeipa Version: %{VERSION} -Release: 3%{?dist} +Release: 4%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -78,7 +78,8 @@ Source0: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch +# https://github.com/freeipa/freeipa/pull/1158 +Patch0001: 0001-Block-PyOpenSSL-to-prevent-SELinux-execmem-in-wsgi.patch # https://github.com/freeipa/freeipa/pull/1137 Patch0002: 0002-ipa-kdb-support-KDB-DAL-version-7.0.patch # https://github.com/freeipa/freeipa/pull/1156 @@ -1715,6 +1716,9 @@ fi %endif # with_ipatests %changelog +* Tue Oct 17 2017 Rob Crittenden - 4.6.1-4 +- Update workaround patch to prevent SELinux execmem AVC (#1491508) + * Mon Oct 16 2017 Alexander Bokovoy - 4.6.1-3 - Another attempt at fix for bug #1491053