[freeipa PR#1161][opened] Block PyOpenSSL to prevent SELinux execmem in wsgi
by tiran
URL: https://github.com/freeipa/freeipa/pull/1161
Author: tiran
Title: #1161: Block PyOpenSSL to prevent SELinux execmem in wsgi
Action: opened
PR body:
"""
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
Block any import of PyOpenSSL's SSL module in wsgi by raising an
ImportError. The block is compatible with new python-requests with
unbundled urllib3, too.
Fixes: https://pagure.io/freeipa/issue/5442
Fixes: RHBZ#1491508
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1161/head:pr1161
git checkout pr1161
6 years, 6 months
[freeipa PR#1160][opened] Block PyOpenSSL to prevent SELinux execmem in wsgi
by tiran
URL: https://github.com/freeipa/freeipa/pull/1160
Author: tiran
Title: #1160: Block PyOpenSSL to prevent SELinux execmem in wsgi
Action: opened
PR body:
"""
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
Block any import of PyOpenSSL's SSL module in wsgi by raising an
ImportError. The block is compatible with new python-requests with
unbundled urllib3, too.
Fixes: https://pagure.io/freeipa/issue/5442
Fixes: RHBZ#1491508
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1160/head:pr1160
git checkout pr1160
6 years, 6 months
[freeipa PR#1158][opened] Block PyOpenSSL to prevent SELinux execmem in wsgi
by tiran
URL: https://github.com/freeipa/freeipa/pull/1158
Author: tiran
Title: #1158: Block PyOpenSSL to prevent SELinux execmem in wsgi
Action: opened
PR body:
"""
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
Block any import of PyOpenSSL's SSL module in wsgi by raising an
ImportError. The block is compatible with new python-requests with
unbundled urllib3, too.
Fixes: FreeIPA #5442
Fixes: RHBZ#1491508
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1158/head:pr1158
git checkout pr1158
6 years, 6 months
[freeipa PR#1159][opened] Backport 7151
by flo-renaud
URL: https://github.com/freeipa/freeipa/pull/1159
Author: flo-renaud
Title: #1159: Backport 7151
Action: opened
PR body:
"""
ipa-server-upgrade needs to configure certmonger with the right options
in order to track PKI, HTTP and LDAP certs (for instance the RA agent cert
location has changed from older releases).
The upgrade code looks for existing tracking requests with the expected
options by using criteria (location of the NSSDB, nickname, CA helper...)
If a tracking request is not found, it means that it is either using wrong
options or not configured. In this case, the upgrade stop tracking
all the certs, reconfigures the helpers, starts tracking the certs so that
the config is up-to-date.
The issue is that the criteria is using the keyword 'ca' instead of
'ca-name' and this leads to upgrade believing that the config needs to be
updated in all the cases.
https://pagure.io/freeipa/issue/7151
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1159/head:pr1159
git checkout pr1159
6 years, 6 months