Have you tried changing Dashboard to monkey patch the uuid module to blank out the functions being loaded from ctypes? If the _uuid_generate_* functions are not set, the existing python implementation is used instead and it looks like that just uses urandom() inline.<br>
<br><div class="gmail_quote">On Thu, Apr 19, 2012 at 11:53 AM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com">ayoung@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Did a little digging into an audit log message we've been seeing specifically on Dashboard.<br>
<br>
They look like this in audit.log<br>
<br>
type=AVC msg=audit(1334860567.213:5184)<u></u>: avc: denied { execute } for pid=1910<br>
3 comm="httpd" path=<u></u>2F6465762F73686D2F6666694F337A<u></u>6B4972202864656C6574656429 dev<br>
=tmpfs ino=1281359 scontext=unconfined_u:system_<u></u>r:httpd_t:s0 tcontext=unconfined<br>
_u:object_r:httpd_tmpfs_t:s0 tclass=file<br>
<br>
And are a little clearer if you use<br>
<br>
sudo ausearch -i | grep denied<br>
<br>
type=AVC msg=audit(04/19/2012 14:36:07.213:5184) : avc: denied { execute } for pid=19103 comm=httpd path=/dev/shm/ffiO3zkIr (deleted) dev=tmpfs ino=1281359 scontext=unconfined_u:system_<u></u>r:httpd_t:s0 tcontext=unconfined_u:object_<u></u>r:httpd_tmpfs_t:s0 tclass=file<br>
<br>
Something in HTTPD is trying to generate code and then execute it by writing to a file. We've traced that something down to the UUID generation code. The standard UUID module makes a ctypes call, which does run time generation of Native stubs in order to call into libuuid to actually generate the UUID.<br>
<br>
While we are working with the Python maintainers to come up with long term fixes, we probably want to come up with something short term. We are going to generate an alternative UUID module, probably named something along the lines of uuid_no_ctypes, that will call into libuuid via pregenerated function stubs. This module will be a copy of the uuid.py file from The upstream, with the absolute minimum of changes to avoid ctypes.<br>
<br>
Once we've got this working, all of the projects that use UUID should switch over...this is a good argument for putting that code into Openstack-common. Keystone, Nova, and Quantum all import uuid.<br>
<br>
None of the projects seem to be using ctypes directly. However, it is possible that we are using other third party libraries that, in turn, use ctypes.<br>
<br>
______________________________<u></u>_________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~<u></u>openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~<u></u>openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/<u></u>ListHelp</a><br>
</blockquote></div><br>