Bug 1337141
| Summary: | python-cryptography is broken in a mod_wsgi environment due to execmem requirement | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrick Uiterwijk <puiterwijk> | ||||||
| Component: | python-cryptography | Assignee: | Nathaniel McCallum <npmccallum> | ||||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | Kaleem <ksiddiqu> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 7.2 | CC: | cheimes, npmccallum, rsawhill | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2016-12-07 14:19:40 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1298243 | ||||||||
| Attachments: |
|
||||||||
Created attachment 1159018 [details]
Delay locking callback patch for python-cryptography 0.8.3
The creation of the locking callback handler is delayed. With CPython the internal _ssl takes care of registering lock handlers.
Created attachment 1159056 [details]
Alternative: monkey patch for Ipsilon
Untested monkey patch for Ipsilon
|
Description of problem: When using python-cryptography in mod_wsgi, the call "cls.ffi.callback("void(int, int, const char *, int)", cls._lock_cb)" in cryptography/hazmat/bindings/openssl/binding.py requires an execmem permission, which httpd doesn't have. Version-Release number of selected component (if applicable): python-cryptography 0.8.2 How reproducible: Consistent Steps to Reproduce: 1 sestatus 2 yum install -y python-cffi mod_wsgi httpd python-cryptography 3 yum update -y 4 vi /etc/httpd/conf.d/test.conf 5 vi /usr/libexec/cryptotest 6 service httpd start 7 tail -f /var/log/httpd/error_log /var/log/audit/audit.log test.conf: WSGIScriptAlias / /usr/libexec/cryptotest <Directory /usr/libexec> Require all granted </Directory> cryptotest: print 'Import fernet' from cryptography.fernet import Fernet key = Fernet.generate_key() f = Fernet(key) print 'Done with fernet' Visit web server. Actual results: See 500 server error. ==> /var/log/httpd/error_log <== [Tue May 17 12:40:23.225569 2016] [:error] [pid 22291] Import fernet [Tue May 17 12:40:23.250668 2016] [core:notice] [pid 22287] AH00052: child pid 22290 exit signal Segmentation fault (11) ==> /var/log/audit/audit.log <== type=AVC msg=audit(1463488824.018:187): avc: denied { execmem } for pid=22291 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process Expected results: 404 (because the wsgi doesn't have an "application". Additional info: Moving the if not cls._lock_cb_handle: block after the if cls.lib.CRYPTO_get_locking_callback() != cls.ffi.NULL: block fixes the issue, because seemingly CPython ssl has its own locking.