Block PyOpenSSL to prevent SELinux execmem in wsgi

Some dependencies like Dogtag's pki.client library and custodia use python-requsts to make HTTPS connection. python-requests prefers PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top of python-cryptography which trigger a execmem SELinux violation in the context of Apache HTTPD (httpd_execmem). When requests is imported, it always tries to import pyopenssl glue code from urllib3's contrib directory. The import of PyOpenSSL is enough to trigger the SELinux denial. Block any import of PyOpenSSL's SSL module in wsgi by raising an ImportError. The block is compatible with new python-requests with unbundled urllib3, too. Fixes: https://pagure.io/freeipa/issue/5442 Fixes: RHBZ#1491508 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
freeipa · Oct 18, 2017 · dea059d · dea059d
1 parent 9b8b7af
commit dea059d
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/install/share/wsgi.py b/install/share/wsgi.py
@@ -25,6 +25,18 @@
 """
 import logging
 import os
+import sys
+
+# Some dependencies like Dogtag's pki.client library and custodia use
+# python-requsts to make HTTPS connection. python-requests prefers
+# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
+# of python-cryptography which trigger a execmem SELinux violation
+# in the context of Apache HTTPD (httpd_execmem).
+# When requests is imported, it always tries to import pyopenssl glue
+# code from urllib3's contrib directory. The import of PyOpenSSL is
+# enough to trigger the SELinux denial.
+# Block any import of PyOpenSSL's SSL module by raising an ImportError
+sys.modules['OpenSSL.SSL'] = None
 
 from ipaplatform.paths import paths
 from ipalib import api