[Freeipa-devel] [PATCH 0026] Workarounds for SELinux execmem violations in cryptography
Petr Vobornik
pvoborni at redhat.com
Mon Dec 7 18:59:02 UTC 2015
On 7.12.2015 16:26, Christian Heimes wrote:
> On 2015-12-07 16:17, Alexander Bokovoy wrote:
>> On Mon, 07 Dec 2015, Christian Heimes wrote:
>>> The patch fixes SELinux violations in Fedora 23.
>>>
>>> Background: Recent versions of cryptography cause SELinux violation
>>> which will lead to a segfault, see
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1277224 . The segfault only
>>> occurs in the context of Apache HTTPD (FreeIPA web ui) when
>>> cryptography.hazmat.backends.default_backend() is initialized. I'm
>>> working on a fix for cryptography but it will take a while. First I have
>>> to wait for a new upstream release of python-cffi. Armin Ronacher plans
>>> to release cffi 1.4 in two weeks.
>>>
>>>
>>> ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
>>> pki.client no longer tries to use PyOpenSSL instead of Python's ssl
>>> module.
>>>
>>> Some dependencies like Dogtag's pki.client library and custodia use
>>> python-requsts to make HTTPS connection. python-requests prefers
>>> PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
>>> of python-cryptography which trigger a execmem SELinux violation
>>> in the context of Apache HTTPD (httpd_execmem).
>>> When requests is imported, it always tries to import pyopenssl glue
>>> code from urllib3's contrib directory. The import of PyOpenSSL is
>>> enough to trigger the SELinux denial.
>>> A hack in wsgi.py prevents the import by raising an ImportError.
>> ACK. Thanks for these patches.
>>
>> Note to Debian/Ubuntu maintainers: AppArmor 'support' in python-cffi
>> already detects apparmor by looking into /proc and disabling the use of
>> writeable and executable memory. On those platforms I suspect recent
>> enough python-cryptography would work without problem by downgrading own
>> feature set. The code in this patches should be harmless, though.
>
> Cryptography's core depends on dynamic callbacks. There is no "downgrade
> feature-set" feature.
>
> I guess the libffi uses the broken and potential dangerous workaround
> with two shared mmap() with file backend.
> (http://www.akkadia.org/drepper/selinux-mem.html). The approach requires
> a writeable, executable temp file and breaks isolation between a parent
> process and all its forked child processes.
>
> Christian
>
The patch needs to be rebased to 4-2 branch to be usable on Fedora 23 -
FreeIPA 4.2.3.
--
Petr Vobornik
More information about the Freeipa-devel
mailing list