[Freeipa-devel] [PATCH 0026] Workarounds for SELinux execmem violations in cryptography
Alexander Bokovoy
abokovoy at redhat.com
Mon Dec 7 15:17:47 UTC 2015
On Mon, 07 Dec 2015, Christian Heimes wrote:
>The patch fixes SELinux violations in Fedora 23.
>
>Background: Recent versions of cryptography cause SELinux violation
>which will lead to a segfault, see
>https://bugzilla.redhat.com/show_bug.cgi?id=1277224 . The segfault only
>occurs in the context of Apache HTTPD (FreeIPA web ui) when
>cryptography.hazmat.backends.default_backend() is initialized. I'm
>working on a fix for cryptography but it will take a while. First I have
>to wait for a new upstream release of python-cffi. Armin Ronacher plans
>to release cffi 1.4 in two weeks.
>
>
>ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
>pki.client no longer tries to use PyOpenSSL instead of Python's ssl
>module.
>
>Some dependencies like Dogtag's pki.client library and custodia use
>python-requsts to make HTTPS connection. python-requests prefers
>PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
>of python-cryptography which trigger a execmem SELinux violation
>in the context of Apache HTTPD (httpd_execmem).
>When requests is imported, it always tries to import pyopenssl glue
>code from urllib3's contrib directory. The import of PyOpenSSL is
>enough to trigger the SELinux denial.
>A hack in wsgi.py prevents the import by raising an ImportError.
ACK. Thanks for these patches.
Note to Debian/Ubuntu maintainers: AppArmor 'support' in python-cffi
already detects apparmor by looking into /proc and disabling the use of
writeable and executable memory. On those platforms I suspect recent
enough python-cryptography would work without problem by downgrading own
feature set. The code in this patches should be harmless, though.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list