Hi, folks. I've been debugging a problem I found when upgrading a Fedora server box to Fedora 23. The long story is here:
but here's the short story:
- Install Fedora 23
setsebool -P deny_execmem on
dnf install python-cryptography
python -c 'from cryptography.hazmat.bindings.openssl.binding import Binding'
This will crash. It causes a problem in practice because on Fedora, SELinux denies such 'execmem' operations for processes run by httpd, and the above ultimately happens when something does
import requests if python-ndg-httpsclient is installed, and FreeIPA - the thing I'm actually running on the affected box - does that in a WSGI server process. The
setsebool command applies the same restriction to commands launched by a regular user, for ease of reproduction.
I talked to the python-cryptography devs about this, and they said:
<Alex_Gaynor> adamw: it looks like it's blowing up on any closure being created, so I think this is a cffi or libffi bug, not a cryptography one.
I'll attach the C backtrace from the crash.