On 2015-12-07 16:17, Alexander Bokovoy wrote: > On Mon, 07 Dec 2015, Christian Heimes wrote: >> The patch fixes SELinux violations in Fedora 23. >> >> Background: Recent versions of cryptography cause SELinux violation >> which will lead to a segfault, see >> https://bugzilla.redhat.com/show_bug.cgi?id=1277224 . The segfault only >> occurs in the context of Apache HTTPD (FreeIPA web ui) when >> cryptography.hazmat.backends.default_backend() is initialized. I'm >> working on a fix for cryptography but it will take a while. First I have >> to wait for a new upstream release of python-cffi. Armin Ronacher plans >> to release cffi 1.4 in two weeks. >> >> >> ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's >> pki.client no longer tries to use PyOpenSSL instead of Python's ssl >> module. >> >> Some dependencies like Dogtag's pki.client library and custodia use >> python-requsts to make HTTPS connection. python-requests prefers >> PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top >> of python-cryptography which trigger a execmem SELinux violation >> in the context of Apache HTTPD (httpd_execmem). >> When requests is imported, it always tries to import pyopenssl glue >> code from urllib3's contrib directory. The import of PyOpenSSL is >> enough to trigger the SELinux denial. >> A hack in wsgi.py prevents the import by raising an ImportError. > ACK. Thanks for these patches. > > Note to Debian/Ubuntu maintainers: AppArmor 'support' in python-cffi > already detects apparmor by looking into /proc and disabling the use of > writeable and executable memory. On those platforms I suspect recent > enough python-cryptography would work without problem by downgrading own > feature set. The code in this patches should be harmless, though.
Cryptography's core depends on dynamic callbacks. There is no "downgrade feature-set" feature. I guess the libffi uses the broken and potential dangerous workaround with two shared mmap() with file backend. (http://www.akkadia.org/drepper/selinux-mem.html). The approach requires a writeable, executable temp file and breaks isolation between a parent process and all its forked child processes. Christian
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code