From 18692deb9a1ceffe5b4bc5c1b470f7c3e6159a9d Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Mon, 4 Sep 2017 13:46:47 +0200 Subject: [PATCH] Workarounds for SELinux execmem violations in cryptography pki.client no longer tries to use PyOpenSSL instead of Python's ssl module. Some dependencies like Dogtag's pki.client library and custodia use python-requsts to make HTTPS connection. python-requests prefers PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top of python-cryptography which trigger a execmem SELinux violation in the context of Apache HTTPD (httpd_execmem). When requests is imported, it always tries to import pyopenssl glue code from urllib3's contrib directory. The import of PyOpenSSL is enough to trigger the SELinux denial. A hack in wsgi.py prevents the import by raising an ImportError. Signed-off-by: Tomas Krizek --- install/share/wsgi.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/install/share/wsgi.py b/install/share/wsgi.py index e263b8117fe7e6817cb0b6d87c6e6b0c34a9f5e8..fed11572308b9dbefdf1fa2e7f72395230e9dff8 100644 --- a/install/share/wsgi.py +++ b/install/share/wsgi.py @@ -25,6 +25,19 @@ WSGI appliction for IPA server. """ import logging import os +import sys + +# Some dependencies like Dogtag's pki.client library and custodia use +# python-requsts to make HTTPS connection. python-requests prefers +# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top +# of python-cryptography which trigger a execmem SELinux violation +# in the context of Apache HTTPD (httpd_execmem). +# When requests is imported, it always tries to import pyopenssl glue +# code from urllib3's contrib directory. The import of PyOpenSSL is +# enough to trigger the SELinux denial. +# This hack prevents the import by raising an ImportError. + +sys.modules['requests.packages.urllib3.contrib.pyopenssl'] = None from ipaplatform.paths import paths from ipalib import api -- 2.13.3