openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #10309
Re: Python UUID and SELinux AVC denials
Have you tried changing Dashboard to monkey patch the uuid module to blank
out the functions being loaded from ctypes? If the _uuid_generate_*
functions are not set, the existing python implementation is used instead
and it looks like that just uses urandom() inline.
On Thu, Apr 19, 2012 at 11:53 AM, Adam Young <ayoung@xxxxxxxxxx> wrote:
> Did a little digging into an audit log message we've been seeing
> specifically on Dashboard.
>
> They look like this in audit.log
>
> type=AVC msg=audit(1334860567.213:5184)**: avc: denied { execute } for
> pid=1910
> 3 comm="httpd" path=**2F6465762F73686D2F6666694F337A**6B4972202864656C6574656429
> dev
> =tmpfs ino=1281359 scontext=unconfined_u:system_**r:httpd_t:s0
> tcontext=unconfined
> _u:object_r:httpd_tmpfs_t:s0 tclass=file
>
> And are a little clearer if you use
>
> sudo ausearch -i | grep denied
>
> type=AVC msg=audit(04/19/2012 14:36:07.213:5184) : avc: denied { execute
> } for pid=19103 comm=httpd path=/dev/shm/ffiO3zkIr (deleted) dev=tmpfs
> ino=1281359 scontext=unconfined_u:system_**r:httpd_t:s0
> tcontext=unconfined_u:object_**r:httpd_tmpfs_t:s0 tclass=file
>
> Something in HTTPD is trying to generate code and then execute it by
> writing to a file. We've traced that something down to the UUID generation
> code. The standard UUID module makes a ctypes call, which does run time
> generation of Native stubs in order to call into libuuid to actually
> generate the UUID.
>
> While we are working with the Python maintainers to come up with long term
> fixes, we probably want to come up with something short term. We are
> going to generate an alternative UUID module, probably named something
> along the lines of uuid_no_ctypes, that will call into libuuid via
> pregenerated function stubs. This module will be a copy of the uuid.py
> file from The upstream, with the absolute minimum of changes to avoid
> ctypes.
>
> Once we've got this working, all of the projects that use UUID should
> switch over...this is a good argument for putting that code into
> Openstack-common. Keystone, Nova, and Quantum all import uuid.
>
> None of the projects seem to be using ctypes directly. However, it is
> possible that we are using other third party libraries that, in turn, use
> ctypes.
>
> ______________________________**_________________
> Mailing list: https://launchpad.net/~**openstack<https://launchpad.net/~openstack>
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~**openstack<https://launchpad.net/~openstack>
> More help : https://help.launchpad.net/**ListHelp<https://help.launchpad.net/ListHelp>
>
Follow ups
References