freeipa

Clone
Source Code
GIT

52dd5e1 Block PyOpenSSL to prevent SELinux execmem in wsgi

1 file Authored by cheimes 6 years ago, Committed by tkrizek 6 years ago,
raw patch tree parent
1 file changed. 12 lines added. 0 lines removed.
install/share/wsgi.py
file modified
+12 -0 
    Block PyOpenSSL to prevent SELinux execmem in wsgi
    
    Some dependencies like Dogtag's pki.client library and custodia use
    python-requsts to make HTTPS connection. python-requests prefers
    PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
    of python-cryptography which trigger a execmem SELinux violation
    in the context of Apache HTTPD (httpd_execmem).
    
    When requests is imported, it always tries to import pyopenssl glue
    code from urllib3's contrib directory. The import of PyOpenSSL is
    enough to trigger the SELinux denial.
    
    Block any import of PyOpenSSL's SSL module in wsgi by raising an
    ImportError. The block is compatible with new python-requests with
    unbundled urllib3, too.
    
    Fixes: https://pagure.io/freeipa/issue/5442
    Fixes: RHBZ#1491508
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
file modified
+12 -0
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.