4.6.1-4 Update execmem patch

Update workaround patch to prevent SELinux execmem AVC (#1491508) Signed-off-by: Rob Crittenden <rcritten@redhat.com>
2017-10-17 10:58:10 +02:00 · 2017-10-17 10:58:10 +02:00 · b993dadc84
commit b993dadc84
parent cca65702ef
2 changed files with 23 additions and 19 deletions
--- a/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
+++ b/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
@ -1,10 +1,7 @@
-From 18692deb9a1ceffe5b4bc5c1b470f7c3e6159a9d Mon Sep 17 00:00:00 2001
+From 7589f2c71de95807dbdb64a845a8dc90e7542ee6 Mon Sep 17 00:00:00 2001
-From: Tomas Krizek <tkrizek@redhat.com>
+From: Christian Heimes <cheimes@redhat.com>
-Date: Mon, 4 Sep 2017 13:46:47 +0200
+Date: Tue, 17 Oct 2017 09:40:05 +0200
-Subject: [PATCH] Workarounds for SELinux execmem violations in cryptography
+Subject: [PATCH] Block PyOpenSSL to prevent SELinux execmem in wsgi
 pki.client no longer tries to use PyOpenSSL instead of Python's ssl
 module.
 Some dependencies like Dogtag's pki.client library and custodia use
 python-requsts to make HTTPS connection. python-requests prefers
@ -16,18 +13,22 @@ When requests is imported, it always tries to import pyopenssl glue
 code from urllib3's contrib directory. The import of PyOpenSSL is
 enough to trigger the SELinux denial.
-A hack in wsgi.py prevents the import by raising an ImportError.
+Block any import of PyOpenSSL's SSL module in wsgi by raising an
 ImportError. The block is compatible with new python-requests with
 unbundled urllib3, too.
-Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
+Fixes: FreeIPA #5442
 Fixes: RHBZ#1491508
 Signed-off-by: Christian Heimes <cheimes@redhat.com>
 ---
- install/share/wsgi.py | 13 +++++++++++++
+ install/share/wsgi.py | 12 ++++++++++++
- 1 file changed, 13 insertions(+)
+ 1 file changed, 12 insertions(+)
 diff --git a/install/share/wsgi.py b/install/share/wsgi.py
-index e263b8117fe7e6817cb0b6d87c6e6b0c34a9f5e8..fed11572308b9dbefdf1fa2e7f72395230e9dff8 100644
+index e263b81..e5cabc0 100644
 --- a/install/share/wsgi.py
 +++ b/install/share/wsgi.py
-@@ -25,6 +25,19 @@ WSGI appliction for IPA server.
+@@ -25,6 +25,18 @@ WSGI appliction for IPA server.
 """
 import logging
 import os
@ -41,12 +42,11 @@ index e263b8117fe7e6817cb0b6d87c6e6b0c34a9f5e8..fed11572308b9dbefdf1fa2e7f723952
 +# When requests is imported, it always tries to import pyopenssl glue
 +# code from urllib3's contrib directory. The import of PyOpenSSL is
 +# enough to trigger the SELinux denial.
-+# This hack prevents the import by raising an ImportError.
+# Block any import of PyOpenSSL's SSL module by raising an ImportError
-+
+sys.modules['OpenSSL.SSL'] = None
 +sys.modules['requests.packages.urllib3.contrib.pyopenssl'] = None
 from ipaplatform.paths import paths
 from ipalib import api
 -- 
-2.13.3
+2.9.5
--- a/freeipa.spec
+++ b/freeipa.spec
@ -68,7 +68,7 @@
 Name:           freeipa
 Version:        %{VERSION}
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        The Identity, Policy and Audit system
 Group:          System Environment/Base
@ -78,7 +78,8 @@ Source0:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Patch0001:      0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
+# https://github.com/freeipa/freeipa/pull/1158
 Patch0001:      0001-Block-PyOpenSSL-to-prevent-SELinux-execmem-in-wsgi.patch
 # https://github.com/freeipa/freeipa/pull/1137
 Patch0002:      0002-ipa-kdb-support-KDB-DAL-version-7.0.patch
 # https://github.com/freeipa/freeipa/pull/1156
@ -1715,6 +1716,9 @@ fi
 %endif # with_ipatests
 %changelog
 * Tue Oct 17 2017 Rob Crittenden <rcritten@redhat.com> - 4.6.1-4
 - Update workaround patch to prevent SELinux execmem AVC (#1491508)
 * Mon Oct 16 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.1-3
 - Another attempt at fix for bug #1491053