|
![](https://seccdn.libravatar.org/avatar/427ca0d8b5d615b1f0a4803275258eb4af9c5c28fce287f0b7b7dc9029ef374d?s=16&d=retro) |
5f5010d |
From 3c106c400b9946405289fc5f6b57a76d08667b50 Mon Sep 17 00:00:00 2001
|
|
![](https://seccdn.libravatar.org/avatar/427ca0d8b5d615b1f0a4803275258eb4af9c5c28fce287f0b7b7dc9029ef374d?s=16&d=retro) |
5f5010d |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
![](https://seccdn.libravatar.org/avatar/427ca0d8b5d615b1f0a4803275258eb4af9c5c28fce287f0b7b7dc9029ef374d?s=16&d=retro) |
5f5010d |
Date: Thu, 1 Sep 2016 17:04:06 +0300
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
1e16388 |
Subject: [PATCH] Workarounds for SELinux execmem violations in cryptography
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
b2442d5 |
pki.client no longer tries to use PyOpenSSL instead of Python's ssl
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
b2442d5 |
module.
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
b2442d5 |
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
Some dependencies like Dogtag's pki.client library and custodia use
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
python-requsts to make HTTPS connection. python-requests prefers
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
of python-cryptography which trigger a execmem SELinux violation
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
in the context of Apache HTTPD (httpd_execmem).
|
|
![](https://seccdn.libravatar.org/avatar/427ca0d8b5d615b1f0a4803275258eb4af9c5c28fce287f0b7b7dc9029ef374d?s=16&d=retro) |
5f5010d |
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
When requests is imported, it always tries to import pyopenssl glue
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
code from urllib3's contrib directory. The import of PyOpenSSL is
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
enough to trigger the SELinux denial.
|
|
![](https://seccdn.libravatar.org/avatar/427ca0d8b5d615b1f0a4803275258eb4af9c5c28fce287f0b7b7dc9029ef374d?s=16&d=retro) |
5f5010d |
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
A hack in wsgi.py prevents the import by raising an ImportError.
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
---
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
install/share/wsgi.py | 14 ++++++++++++++
|
|
![](https://seccdn.libravatar.org/avatar/427ca0d8b5d615b1f0a4803275258eb4af9c5c28fce287f0b7b7dc9029ef374d?s=16&d=retro) |
5f5010d |
1 file changed, 14 insertions(+)
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
diff --git a/install/share/wsgi.py b/install/share/wsgi.py
|
|
![](https://seccdn.libravatar.org/avatar/427ca0d8b5d615b1f0a4803275258eb4af9c5c28fce287f0b7b7dc9029ef374d?s=16&d=retro) |
5f5010d |
index ee9311e..bb201fa 100644
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
--- a/install/share/wsgi.py
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
+++ b/install/share/wsgi.py
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
@@ -23,6 +23,20 @@
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
"""
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
WSGI appliction for IPA server.
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
"""
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
+import sys
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
+
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
+# Some dependencies like Dogtag's pki.client library and custodia use
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
+# python-requsts to make HTTPS connection. python-requests prefers
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
+# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
+# of python-cryptography which trigger a execmem SELinux violation
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
+# in the context of Apache HTTPD (httpd_execmem).
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
+# When requests is imported, it always tries to import pyopenssl glue
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
+# code from urllib3's contrib directory. The import of PyOpenSSL is
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
+# enough to trigger the SELinux denial.
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
+# This hack prevents the import by raising an ImportError.
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
+
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a76abac |
+sys.modules['requests.packages.urllib3.contrib.pyopenssl'] = None
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
+
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
from ipalib import api
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
from ipalib.config import Env
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
from ipalib.constants import DEFAULT_CONFIG
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
--
|
|
![](https://seccdn.libravatar.org/avatar/427ca0d8b5d615b1f0a4803275258eb4af9c5c28fce287f0b7b7dc9029ef374d?s=16&d=retro) |
5f5010d |
2.7.4
|
|
![](https://seccdn.libravatar.org/avatar/931dc4949215cc14fb58e31ea391336ef137cb358bf990f129eb4c3476c5d922?s=16&d=retro) |
a33b200 |
|