[Freeipa-devel] [PATCH 0026] Workarounds for SELinux execmem violations in cryptography

Christian Heimes cheimes at redhat.com
Mon Dec 7 15:26:13 UTC 2015 

On 2015-12-07 16:17, Alexander Bokovoy wrote:
> On Mon, 07 Dec 2015, Christian Heimes wrote:
>> The patch fixes SELinux violations in Fedora 23.
>>
>> Background: Recent versions of cryptography cause SELinux violation
>> which will lead to a segfault, see
>> https://bugzilla.redhat.com/show_bug.cgi?id=1277224 . The segfault only
>> occurs in the context of Apache HTTPD (FreeIPA web ui) when
>> cryptography.hazmat.backends.default_backend() is initialized. I'm
>> working on a fix for cryptography but it will take a while. First I have
>> to wait for a new upstream release of python-cffi. Armin Ronacher plans
>> to release cffi 1.4 in two weeks.
>>
>>
>> ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
>> pki.client no longer tries to use PyOpenSSL instead of Python's ssl
>> module.
>>
>> Some dependencies like Dogtag's pki.client library and custodia use
>> python-requsts to make HTTPS connection. python-requests prefers
>> PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
>> of python-cryptography which trigger a execmem SELinux violation
>> in the context of Apache HTTPD (httpd_execmem).
>> When requests is imported, it always tries to import pyopenssl glue
>> code from urllib3's contrib directory. The import of PyOpenSSL is
>> enough to trigger the SELinux denial.
>> A hack in wsgi.py prevents the import by raising an ImportError.
> ACK. Thanks for these patches.
> 
> Note to Debian/Ubuntu maintainers: AppArmor 'support' in python-cffi
> already detects apparmor by looking into /proc and disabling the use of
> writeable and executable memory. On those platforms I suspect recent
> enough python-cryptography would work without problem by downgrading own
> feature set. The code in this patches should be harmless, though.

Cryptography's core depends on dynamic callbacks. There is no "downgrade
feature-set" feature.

I guess the libffi uses the broken and potential dangerous workaround
with two shared mmap() with file backend.
(http://www.akkadia.org/drepper/selinux-mem.html). The approach requires
a writeable, executable temp file and breaks isolation between a parent
process and all its forked child processes.

Christian


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151207/f06fdd1d/attachment.sig>

More information about the Freeipa-devel mailing list