Hide Forgot
Description of problem: When using python-cryptography in mod_wsgi, the call "cls.ffi.callback("void(int, int, const char *, int)", cls._lock_cb)" in cryptography/hazmat/bindings/openssl/binding.py requires an execmem permission, which httpd doesn't have. Version-Release number of selected component (if applicable): python-cryptography 0.8.2 How reproducible: Consistent Steps to Reproduce: 1 sestatus 2 yum install -y python-cffi mod_wsgi httpd python-cryptography 3 yum update -y 4 vi /etc/httpd/conf.d/test.conf 5 vi /usr/libexec/cryptotest 6 service httpd start 7 tail -f /var/log/httpd/error_log /var/log/audit/audit.log test.conf: WSGIScriptAlias / /usr/libexec/cryptotest <Directory /usr/libexec> Require all granted </Directory> cryptotest: print 'Import fernet' from cryptography.fernet import Fernet key = Fernet.generate_key() f = Fernet(key) print 'Done with fernet' Visit web server. Actual results: See 500 server error. ==> /var/log/httpd/error_log <== [Tue May 17 12:40:23.225569 2016] [:error] [pid 22291] Import fernet [Tue May 17 12:40:23.250668 2016] [core:notice] [pid 22287] AH00052: child pid 22290 exit signal Segmentation fault (11) ==> /var/log/audit/audit.log <== type=AVC msg=audit(1463488824.018:187): avc: denied { execmem } for pid=22291 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process Expected results: 404 (because the wsgi doesn't have an "application". Additional info: Moving the if not cls._lock_cb_handle: block after the if cls.lib.CRYPTO_get_locking_callback() != cls.ffi.NULL: block fixes the issue, because seemingly CPython ssl has its own locking.
Created attachment 1159018 [details] Delay locking callback patch for python-cryptography 0.8.3 The creation of the locking callback handler is delayed. With CPython the internal _ssl takes care of registering lock handlers.
Created attachment 1159056 [details] Alternative: monkey patch for Ipsilon Untested monkey patch for Ipsilon