On 7.12.2015 16:26, Christian Heimes wrote:
On 2015-12-07 16:17, Alexander Bokovoy wrote:
On Mon, 07 Dec 2015, Christian Heimes wrote:
The patch fixes SELinux violations in Fedora 23.

Background: Recent versions of cryptography cause SELinux violation
which will lead to a segfault, see
https://bugzilla.redhat.com/show_bug.cgi?id=1277224 . The segfault only
occurs in the context of Apache HTTPD (FreeIPA web ui) when
cryptography.hazmat.backends.default_backend() is initialized. I'm
working on a fix for cryptography but it will take a while. First I have
to wait for a new upstream release of python-cffi. Armin Ronacher plans
to release cffi 1.4 in two weeks.

ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
pki.client no longer tries to use PyOpenSSL instead of Python's ssl

Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
A hack in wsgi.py prevents the import by raising an ImportError.
ACK. Thanks for these patches.

Note to Debian/Ubuntu maintainers: AppArmor 'support' in python-cffi
already detects apparmor by looking into /proc and disabling the use of
writeable and executable memory. On those platforms I suspect recent
enough python-cryptography would work without problem by downgrading own
feature set. The code in this patches should be harmless, though.

Cryptography's core depends on dynamic callbacks. There is no "downgrade
feature-set" feature.

I guess the libffi uses the broken and potential dangerous workaround
with two shared mmap() with file backend.
(http://www.akkadia.org/drepper/selinux-mem.html). The approach requires
a writeable, executable temp file and breaks isolation between a parent
process and all its forked child processes.


The patch needs to be rebased to 4-2 branch to be usable on Fedora 23 - FreeIPA 4.2.3.

Petr Vobornik

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to