Bug 814391
Summary: | UUID package cause SELinux AVC Denials | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Adam Young <ayoung> |
Component: | python | Assignee: | Dave Malcolm <dmalcolm> |
Status: | CLOSED ERRATA | QA Contact: | Petr Šplíchal <psplicha> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.2 | CC: | apevec, jpazdziora, ohudlick |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | python-2.6.6-35.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 10:31:45 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Adam Young
2012-04-19 18:37:54 UTC
This is related to (but different from) bug 582009 Within ctypes, objects of _ctypes.CThunkObject wrap machine code "thunks", containing run-time generated machine code hooks for bridging between Python callables and C functions. Instantiating one of these objects requires an allocation of a page of RAM that can be both written to and executed. In RHEL's python we patch ctypes to use libffi's ffi_closure_alloc for this, which uses a trick involving mapping a tempfile in /tmp multiple times to avoid SELinux's complaining about pages of memory being both writable and executable. This fails for httpd when the SELinux boolean httpd_tmp_exec is off. As noted in bug 582009, one workaround is: setsebool httpd_tmp_exec on which allows httpd to execute such mapped tempfiles - but which could be a security issue. uuid doesn't need to use much ctypes, and indeed, it could be rewritten using a C extension module to avoid the use of ctypes altogether. It turns out that merely doing an "import ctypes" allocates a thunk, but this is somewhat spurious. Within /usr/lib64/python2.7/ctypes/__init__.py in _reset_cache there is this code: # XXX for whatever reasons, creating the first instance of a callback # function is needed for the unittests on Win64 to succeed. This MAY # be a compiler bug, since the problem occurs only when _ctypes is # compiled with the MS SDK compiler. Or an uninitialized variable? CFUNCTYPE(c_int)(lambda: None) If I comment out that line, then a mere "import ctypes" doesn't need to allocate any thunks (PyCFuncPtr_new uses the GenericPyCData_new clause for a single int/long argument, withouth reaching the thunk allocator). Similarly, without this line, I am able to run the test.test_uuid test suite without Python attempting to allocate any thunks. I am also still able to run the test.test_ctypes test suite (although that does allocate thunks). I see at https://www.redhat.com/archives/epel-devel-list/2012-April/msg00054.html that people are running into this with Django. Can you confirm that Django still works if you comment out the line mentioned above? Looks like I've independently reinvented the fix mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=582009#c1 Downstream removal of that line committed to python "master" for Fedora 18: http://pkgs.fedoraproject.org/gitweb/?p=python.git;a=commitdiff;h=7461fe5163d36a83893db6a696f5cc6a74cb6b51 Building python-2.7.3-4.fc18 for dist-rawhide Task info: http://koji.fedoraproject.org/koji/taskinfo?taskID=4009760 Similarly for "python3" in Fedora 18: http://pkgs.fedoraproject.org/gitweb/?p=python3.git;a=commitdiff;h=8a28107df1670a03a12cf6a7787160f103d8d8c8 Building python3-3.2.3-4.fc18 for dist-rawhide Task info: http://koji.fedoraproject.org/koji/taskinfo?taskID=4009802 Within Fedora: * this is fixed in rawhide as of python-2.7.3-4.fc18 and python-3.2.3-4.fc18 * candidate fix for python in F17: https://admin.fedoraproject.org/updates/FEDORA-2012-7019/python-2.7.3-6.fc17 * candidate fix for python3 in F17: https://admin.fedoraproject.org/updates/FEDORA-2012-5785/python3-3.2.3-5.fc17 This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0437.html |