When python-ndg_httpsclient and pyOpenSSL are installed, the FreeIPA web ui fails and segfaults with SELinux violation. The segfault is caused by a bug in python-cffi. The problem didn't show up in QE because these packages are not installed by default. In the absence of PyOpenSSL and ndg.httpsclient, Dogtag PKI uses python-requests with Python's stdlib ssl module. In the presence of both packages, ​pyopenssl.inject_into_urllib3() is triggered in requests.
Dogtag PKI issue: https://fedorahosted.org/pki/ticket/1690
upstream cffi issue: https://bitbucket.org/cffi/cffi/issues/231/writeable-memory-execution-execmem-with
Recommended: Remove the package that provides ndg.httpsclient
# dnf remove python-ndg_httpsclient # systemctl restart httpd
If you can't remove the package, you can also allow execmem for httpd. WARNING: The approach has security implications and is not recommended, because it disables an important security feature.
# setsebool -P httpd_execmem 1 # systemctl restart httpd
I've posted patches for 4.2 and 4.3 to address the issue. The patch adds a workaround that prevents request's urllib3 from injecting PyOpenSSL into urllib3.
FreeIPA 4.2.4 on Fedora 23 was updated: https://bodhi.fedoraproject.org/updates/freeipa-4.2.3-2.fc23
Testing welcome!
Fedora Rawhide was updated as well: http://koji.fedoraproject.org/koji/taskinfo?taskID=12114335
I noticed execmem denials from the FreeIPA web UI again after upgrading my server to F24, even though mitigations have been claimed at various levels for this.
Running freeipa-server-4.3.1-1.fc24.x86_64 . I got a whole ton of execmem denials while trying to start IPA, and eventually it failed. Removing python2-ndg_httpsclient made them go away. They look like this, in ausearch:
time->Tue Jun 21 09:16:39 2016 type=AVC msg=audit(1466525799.965:2047): avc: denied { execmem } for pid=9316 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
through the IPA startup attempt, there were very consistently two such denials every three seconds.
Hi Adam,
I just noticed that the workaround has an embarrassing typo. :( Please edit /usr/share/ipa/wsgi.py and change request to requests:
/usr/share/ipa/wsgi.py
request
requests
sys.modules['requests.packages.urllib3.contrib.pyopenssl'] = None ^^^
Work for me with following packages:
$ rpm -q python-cffi freeipa-server python2-ndg_httpsclient python-cffi-1.4.2-1.fc23.x86_64 freeipa-server-4.2.4-1.fc23.x86_64 python2-ndg_httpsclient-0.4.0-2.fc23.noarch
I am a little bit confused. The last comment says that it works with some versions of packages in fc23+.
However, there is still downstream patch in fedora. BTW there are different versions in fc24 and fc25
https://src.fedoraproject.org/cgit/rpms/freeipa.git/tree/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch?h=f24
https://src.fedoraproject.org/cgit/rpms/freeipa.git/tree/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch?h=f25
The version on fc25 looks quite simple an was updated 3 months ago. https://src.fedoraproject.org/cgit/rpms/freeipa.git/commit/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch?h=f25&id=dd5971f43af1dbf1b5b8b63e84358da8b2e5a46d
Is there a reason why it cannot be also in upstream? It would be good to get rid of downstream only patches.
The patch https://src.fedoraproject.org/cgit/rpms/freeipa.git/commit/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch?h=f25&id=dd5971f43af1dbf1b5b8b63e84358da8b2e5a46d for DCERPC can be removed once we require python-cryptography >= 1.7.1. Only the password callback uses dynamic callbacks for Python >= 3.5. For Fedora we can address the issue in a patch. For upstream I have opened https://github.com/pyca/cryptography/issues/3348 .
The PyOpenSSL workaround is another issue. Lukas and I discussed it on #freeipa. For the record the PyOpenSSL workaround is still required. PyOpenSSL is still using dynamic callbacks, which trigger execmem violations. It would take a major effort and redesign of PyOpenSSL's callback system to fix it. Neither me nor Hynek (maintainer of PyOpenSSL) want to invest time and effort.
Metadata Update from @cheimes: - Issue assigned to cheimes - Issue set to the milestone: FreeIPA 4.2.5
4.2 branch is EOL
Metadata Update from @pvoborni: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
@pvoborni please reopen this ticket. And read properly last Christian's comment https://pagure.io/freeipa/issue/5442#comment-326148.
This issue is still in 4.4 and there is downstream only patch in dist-git.
Or provide better explanation for wontfix
Metadata Update from @stlaz: - Issue set to the milestone: FreeIPA 4.6.2 (was: FreeIPA 4.2.5) - Issue status updated to: Open (was: Closed)
Reopening the ticket, the issue persists in latest versions.
master:
ipa-4-6:
ipa-4-5:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
@pvoborni Thank you very much for ignoring my comment for 7 months https://pagure.io/freeipa/issue/5442#comment-433144
Login to comment on this ticket.