From 3c106c400b9946405289fc5f6b57a76d08667b50 Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Thu, 1 Sep 2016 17:04:06 +0300

Subject: [PATCH] Workarounds for SELinux execmem violations in cryptography

pki.client no longer tries to use PyOpenSSL instead of Python's ssl

module.

Some dependencies like Dogtag's pki.client library and custodia use

python-requsts to make HTTPS connection. python-requests prefers

PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top

of python-cryptography which trigger a execmem SELinux violation

in the context of Apache HTTPD (httpd_execmem).

When requests is imported, it always tries to import pyopenssl glue

code from urllib3's contrib directory. The import of PyOpenSSL is

enough to trigger the SELinux denial.

A hack in wsgi.py prevents the import by raising an ImportError.

---

 install/share/wsgi.py | 14 ++++++++++++++

 1 file changed, 14 insertions(+)

diff --git a/install/share/wsgi.py b/install/share/wsgi.py

index ee9311e..bb201fa 100644

--- a/install/share/wsgi.py

+++ b/install/share/wsgi.py

@@ -23,6 +23,20 @@

 """

 WSGI appliction for IPA server.

 """

+import sys

+

+# Some dependencies like Dogtag's pki.client library and custodia use

+# python-requsts to make HTTPS connection. python-requests prefers

+# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top

+# of python-cryptography which trigger a execmem SELinux violation

+# in the context of Apache HTTPD (httpd_execmem).

+# When requests is imported, it always tries to import pyopenssl glue

+# code from urllib3's contrib directory. The import of PyOpenSSL is

+# enough to trigger the SELinux denial.

+# This hack prevents the import by raising an ImportError.

+

+sys.modules['requests.packages.urllib3.contrib.pyopenssl'] = None

+

 from ipalib import api

 from ipalib.config import Env

 from ipalib.constants import DEFAULT_CONFIG

-- 

2.7.4