rpms/ipa
5
0
Fork 0
Code Issues Pull Requests Releases Activity
5376c6da20
ipa/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
Tomas Krizek 4403f2b6fc
4.6.0-1: rebase to upstream 4.6.0 
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
2017-09-04 13:49:25 +02:00

53 lines
2.0 KiB
Diff
Raw Blame History

From 18692deb9a1ceffe5b4bc5c1b470f7c3e6159a9d Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Mon, 4 Sep 2017 13:46:47 +0200
Subject: [PATCH] Workarounds for SELinux execmem violations in cryptography
pki.client no longer tries to use PyOpenSSL instead of Python's ssl
module.
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
A hack in wsgi.py prevents the import by raising an ImportError.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
---
install/share/wsgi.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/install/share/wsgi.py b/install/share/wsgi.py
index e263b8117fe7e6817cb0b6d87c6e6b0c34a9f5e8..fed11572308b9dbefdf1fa2e7f72395230e9dff8 100644
--- a/install/share/wsgi.py
+++ b/install/share/wsgi.py
@@ -25,6 +25,19 @@ WSGI appliction for IPA server.
"""
import logging
import os
+import sys
+
+# Some dependencies like Dogtag's pki.client library and custodia use
+# python-requsts to make HTTPS connection. python-requests prefers
+# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
+# of python-cryptography which trigger a execmem SELinux violation
+# in the context of Apache HTTPD (httpd_execmem).
+# When requests is imported, it always tries to import pyopenssl glue
+# code from urllib3's contrib directory. The import of PyOpenSSL is
+# enough to trigger the SELinux denial.
+# This hack prevents the import by raising an ImportError.
+
+sys.modules['requests.packages.urllib3.contrib.pyopenssl'] = None
from ipaplatform.paths import paths
from ipalib import api
--
2.13.3
Reference in New Issue View Git Blame Copy Permalink