From 3c106c400b9946405289fc5f6b57a76d08667b50 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 1 Sep 2016 17:04:06 +0300 Subject: [PATCH] Workarounds for SELinux execmem violations in cryptography pki.client no longer tries to use PyOpenSSL instead of Python's ssl module. Some dependencies like Dogtag's pki.client library and custodia use python-requsts to make HTTPS connection. python-requests prefers PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top of python-cryptography which trigger a execmem SELinux violation in the context of Apache HTTPD (httpd_execmem). When requests is imported, it always tries to import pyopenssl glue code from urllib3's contrib directory. The import of PyOpenSSL is enough to trigger the SELinux denial. A hack in wsgi.py prevents the import by raising an ImportError. --- install/share/wsgi.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/install/share/wsgi.py b/install/share/wsgi.py index ee9311e..bb201fa 100644 --- a/install/share/wsgi.py +++ b/install/share/wsgi.py @@ -23,6 +23,20 @@ """ WSGI appliction for IPA server. """ +import sys + +# Some dependencies like Dogtag's pki.client library and custodia use +# python-requsts to make HTTPS connection. python-requests prefers +# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top +# of python-cryptography which trigger a execmem SELinux violation +# in the context of Apache HTTPD (httpd_execmem). +# When requests is imported, it always tries to import pyopenssl glue +# code from urllib3's contrib directory. The import of PyOpenSSL is +# enough to trigger the SELinux denial. +# This hack prevents the import by raising an ImportError. + +sys.modules['requests.packages.urllib3.contrib.pyopenssl'] = None + from ipalib import api from ipalib.config import Env from ipalib.constants import DEFAULT_CONFIG -- 2.7.4