[Freeipa-devel] [PATCH 0026] Workarounds for SELinux execmem violations in cryptography

[Christian Heimes]

The patch fixes SELinux violations in Fedora 23.

Background: Recent versions of cryptography cause SELinux violation
which will lead to a segfault, see
https://bugzilla.redhat.com/show_bug.cgi?id=1277224 . The segfault only
occurs in the context of Apache HTTPD (FreeIPA web ui) when
cryptography.hazmat.backends.default_backend() is initialized. I'm
working on a fix for cryptography but it will take a while. First I have
to wait for a new upstream release of python-cffi. Armin Ronacher plans
to release cffi 1.4 in two weeks.


ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
pki.client no longer tries to use PyOpenSSL instead of Python's ssl
module.

Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
A hack in wsgi.py prevents the import by raising an ImportError.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-cheimes-0026-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
Type: text/x-patch
Size: 4967 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151207/0a106321/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151207/0a106321/attachment.sig>