On 2015-12-07 19:59, Petr Vobornik wrote:
> On 7.12.2015 16:26, Christian Heimes wrote:
>> On 2015-12-07 16:17, Alexander Bokovoy wrote:
>>> On Mon, 07 Dec 2015, Christian Heimes wrote:
>>>> The patch fixes SELinux violations in Fedora 23.
>>>>
>>>> Background: Recent versions of cryptography cause SELinux violation
>>>> which will lead to a segfault, see
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1277224 . The segfault only
>>>> occurs in the context of Apache HTTPD (FreeIPA web ui) when
>>>> cryptography.hazmat.backends.default_backend() is initialized. I'm
>>>> working on a fix for cryptography but it will take a while. First I
>>>> have
>>>> to wait for a new upstream release of python-cffi. Armin Ronacher plans
>>>> to release cffi 1.4 in two weeks.
>>>>
>>>>
>>>> ipaserver.dcerpc uses M2Crypto again on Python 2.7 and Dogtag's
>>>> pki.client no longer tries to use PyOpenSSL instead of Python's ssl
>>>> module.
>>>>
>>>> Some dependencies like Dogtag's pki.client library and custodia use
>>>> python-requsts to make HTTPS connection. python-requests prefers
>>>> PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
>>>> of python-cryptography which trigger a execmem SELinux violation
>>>> in the context of Apache HTTPD (httpd_execmem).
>>>> When requests is imported, it always tries to import pyopenssl glue
>>>> code from urllib3's contrib directory. The import of PyOpenSSL is
>>>> enough to trigger the SELinux denial.
>>>> A hack in wsgi.py prevents the import by raising an ImportError.
>>> ACK. Thanks for these patches.
>>>
>>> Note to Debian/Ubuntu maintainers: AppArmor 'support' in python-cffi
>>> already detects apparmor by looking into /proc and disabling the use of
>>> writeable and executable memory. On those platforms I suspect recent
>>> enough python-cryptography would work without problem by downgrading own
>>> feature set. The code in this patches should be harmless, though.
>>
>> Cryptography's core depends on dynamic callbacks. There is no "downgrade
>> feature-set" feature.
>>
>> I guess the libffi uses the broken and potential dangerous workaround
>> with two shared mmap() with file backend.
>> (http://www.akkadia.org/drepper/selinux-mem.html). The approach requires
>> a writeable, executable temp file and breaks isolation between a parent
>> process and all its forked child processes.
>>
>> Christian
>>
> 
> The patch needs to be rebased to 4-2 branch to be usable on Fedora 23 -
> FreeIPA 4.2.3.

For FreeIPA 4.2 only the patch in wsgi.py is needed. The older version
doesn't use cryptography for RC4. I've attached a patch.

Christian

From ef68483bb3c9e328e3d65e0c02327cdb5ac9859a Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 8 Dec 2015 11:18:22 +0100
Subject: [PATCH 26/26] Workarounds for SELinux execmem violations in
 cryptography

Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
A hack in wsgi.py prevents the import by raising an ImportError.
---
 install/share/wsgi.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/install/share/wsgi.py b/install/share/wsgi.py
index 9f7d3f487dbe07f60b748cfd48d533495de99f2c..ffeb3bb6caea62c82d19e4e772b47efa43cc715f 100644
--- a/install/share/wsgi.py
+++ b/install/share/wsgi.py
@@ -23,6 +23,20 @@
 """
 WSGI appliction for IPA server.
 """
+import sys
+
+# Some dependencies like Dogtag's pki.client library and custodia use
+# python-requsts to make HTTPS connection. python-requests prefers
+# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
+# of python-cryptography which trigger a execmem SELinux violation
+# in the context of Apache HTTPD (httpd_execmem).
+# When requests is imported, it always tries to import pyopenssl glue
+# code from urllib3's contrib directory. The import of PyOpenSSL is
+# enough to trigger the SELinux denial.
+# This hack prevents the import by raising an ImportError.
+
+sys.modules['request.packages.urllib3.contrib.pyopenssl'] = None
+
 from ipalib import api
 from ipalib.config import Env
 from ipalib.constants import DEFAULT_CONFIG
-- 
2.5.0

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to