From 52dd5e138b7ebec68c7280122b1284648bd4117b Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Oct 18 2017 10:10:54 +0000 Subject: Block PyOpenSSL to prevent SELinux execmem in wsgi Some dependencies like Dogtag's pki.client library and custodia use python-requsts to make HTTPS connection. python-requests prefers PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top of python-cryptography which trigger a execmem SELinux violation in the context of Apache HTTPD (httpd_execmem). When requests is imported, it always tries to import pyopenssl glue code from urllib3's contrib directory. The import of PyOpenSSL is enough to trigger the SELinux denial. Block any import of PyOpenSSL's SSL module in wsgi by raising an ImportError. The block is compatible with new python-requests with unbundled urllib3, too. Fixes: https://pagure.io/freeipa/issue/5442 Fixes: RHBZ#1491508 Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy Reviewed-By: Tomas Krizek --- diff --git a/install/share/wsgi.py b/install/share/wsgi.py index e263b81..e5cabc0 100644 --- a/install/share/wsgi.py +++ b/install/share/wsgi.py @@ -25,6 +25,18 @@ WSGI appliction for IPA server. """ import logging import os +import sys + +# Some dependencies like Dogtag's pki.client library and custodia use +# python-requsts to make HTTPS connection. python-requests prefers +# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top +# of python-cryptography which trigger a execmem SELinux violation +# in the context of Apache HTTPD (httpd_execmem). +# When requests is imported, it always tries to import pyopenssl glue +# code from urllib3's contrib directory. The import of PyOpenSSL is +# enough to trigger the SELinux denial. +# Block any import of PyOpenSSL's SSL module by raising an ImportError +sys.modules['OpenSSL.SSL'] = None from ipaplatform.paths import paths from ipalib import api