I've written a Python ACME client that I use to retrieve certificates
from Let's Encrypt. It uses pyca/cryptography to generate and parse
keys, certificates, CSRs, etc.
Being a security conscious sort of person, I've also written an SELinux
policy for it, and I've lately been seeing the following SELinux denial
logged whenever the client runs.
avc: denied { search } for pid=8304 comm="python.acg" name="/"
dev="cgroup2" ino=1 scontext=system_u:system_r:acg_t:s0
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
For some reason, my Python program is trying to read from
/sys/fs/cgroup.
I've used strace to verify that this is caused by importing pretty much
any part of pyca/cryptography.
So the question is ... *why* is pyca/cryptography trying to read cgroup
information? This will determine whether I should allow or dontaudit
this access in my policy.
Thanks!
--
========================================================================
If your user interface is intuitive in retrospect ... it isn't intuitive
========================================================================
_______________________________________________
Cryptography-dev mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/cryptography-dev.python.org
Member address: [email protected]
