#5442 [tracker] SELinux 'execmem' denials
Closed: fixed 2 years ago Opened 4 years ago by cheimes.

When python-ndg_httpsclient and pyOpenSSL are installed, the FreeIPA web ui fails and segfaults with SELinux violation. The segfault is caused by a bug in python-cffi. The problem didn't show up in QE because these packages are not installed by default. In the absence of PyOpenSSL and ndg.httpsclient, Dogtag PKI uses python-requests with Python's stdlib ssl module. In the presence of both packages, ​pyopenssl.inject_into_urllib3() is triggered in requests.

Dogtag PKI issue: https://fedorahosted.org/pki/ticket/1690

upstream cffi issue: https://bitbucket.org/cffi/cffi/issues/231/writeable-memory-execution-execmem-with

quick fix

Recommended: Remove the package that provides ndg.httpsclient

# dnf remove python-ndg_httpsclient
# systemctl restart httpd

If you can't remove the package, you can also allow execmem for httpd. WARNING: The approach has security implications and is not recommended, because it disables an important security feature.

# setsebool -P httpd_execmem 1
# systemctl restart httpd

I've posted patches for 4.2 and 4.3 to address the issue. The patch adds a workaround that prevents request's urllib3 from injecting PyOpenSSL into urllib3.

I noticed execmem denials from the FreeIPA web UI again after upgrading my server to F24, even though mitigations have been claimed at various levels for this.

Running freeipa-server-4.3.1-1.fc24.x86_64 . I got a whole ton of execmem denials while trying to start IPA, and eventually it failed. Removing python2-ndg_httpsclient made them go away. They look like this, in ausearch:

time->Tue Jun 21 09:16:39 2016
type=AVC msg=audit(1466525799.965:2047): avc: denied { execmem } for pid=9316 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0

through the IPA startup attempt, there were very consistently two such denials every three seconds.

Hi Adam,

I just noticed that the workaround has an embarrassing typo. :( Please edit /usr/share/ipa/wsgi.py and change request to requests:

sys.modules['requests.packages.urllib3.contrib.pyopenssl'] = None
                   ^^^

Work for me with following packages:

$ rpm -q python-cffi freeipa-server python2-ndg_httpsclient
python-cffi-1.4.2-1.fc23.x86_64
freeipa-server-4.2.4-1.fc23.x86_64
python2-ndg_httpsclient-0.4.0-2.fc23.noarch

I am a little bit confused.
The last comment says that it works with some versions of packages in fc23+.

However, there is still downstream patch in fedora.
BTW there are different versions in fc24 and fc25

https://src.fedoraproject.org/cgit/rpms/freeipa.git/tree/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch?h=f24

https://src.fedoraproject.org/cgit/rpms/freeipa.git/tree/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch?h=f25

The version on fc25 looks quite simple an was updated 3 months ago. https://src.fedoraproject.org/cgit/rpms/freeipa.git/commit/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch?h=f25&id=dd5971f43af1dbf1b5b8b63e84358da8b2e5a46d

Is there a reason why it cannot be also in upstream?
It would be good to get rid of downstream only patches.

The patch https://src.fedoraproject.org/cgit/rpms/freeipa.git/commit/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch?h=f25&id=dd5971f43af1dbf1b5b8b63e84358da8b2e5a46d for DCERPC can be removed once we require python-cryptography >= 1.7.1. Only the password callback uses dynamic callbacks for Python >= 3.5. For Fedora we can address the issue in a patch. For upstream I have opened https://github.com/pyca/cryptography/issues/3348 .

The PyOpenSSL workaround is another issue. Lukas and I discussed it on #freeipa. For the record the PyOpenSSL workaround is still required. PyOpenSSL is still using dynamic callbacks, which trigger execmem violations. It would take a major effort and redesign of PyOpenSSL's callback system to fix it. Neither me nor Hynek (maintainer of PyOpenSSL) want to invest time and effort.

Metadata Update from @cheimes:
- Issue assigned to cheimes
- Issue set to the milestone: FreeIPA 4.2.5

3 years ago

Metadata Update from @pvoborni:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

3 years ago

@pvoborni please reopen this ticket. And read properly last Christian's comment https://pagure.io/freeipa/issue/5442#comment-326148.

This issue is still in 4.4 and there is downstream only patch in dist-git.

Or provide better explanation for wontfix

Metadata Update from @stlaz:
- Issue set to the milestone: FreeIPA 4.6.2 (was: FreeIPA 4.2.5)
- Issue status updated to: Open (was: Closed)

2 years ago

Reopening the ticket, the issue persists in latest versions.

master:

  • dea059d Block PyOpenSSL to prevent SELinux execmem in wsgi

ipa-4-6:

  • 52dd5e1 Block PyOpenSSL to prevent SELinux execmem in wsgi

ipa-4-5:

  • e527dd1 Block PyOpenSSL to prevent SELinux execmem in wsgi

Metadata Update from @tkrizek:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata