libffi prevents p11-kit from being usable with selinux

Stef Walter stefw at
Wed Sep 23 07:20:43 PDT 2015

On 23.09.2015 13:41, Nikos Mavrogiannopoulos wrote:
> On Tue, 2015-09-22 at 16:19 +0200, Stef Walter wrote:
>> On 22.09.2015 11:55, Nikos Mavrogiannopoulos wrote:
>>> On Mon, 2015-09-21 at 15:12 +0200, Stef Walter wrote:
>>>> Several functions (such as CloseAllSessions()) in PKCS#11 act
>>>> globally.
>>>> By returning a different closure for those function pointers to
>>>> each
>>>> caller, we can scope those effects. We don't do this only in the
>>>> proxy
>>>> module, but throughout the PKCS#11 API.
>>>> The following functions are routinely wrapped in a closure:
>>>> C_Initialize
>>>> C_Finalize
>>>> C_CloseAllSessions
>>>> C_CloseSession
>>>> C_OpenSession
>>>> In addition, if things like remoting or logging are enabled, then 
>>>> all functions are wrapped ... so their arguments can be remoted 
>>>> or logged respectively.
> I'm wondering, what if we treat a failure of libffi to initialize the
> same as when WITH_FFI is not defined? That way we wouldn't get all
> features but the basic stuff that apache could work. What do you think,
> could that work? Does it worth a try?

What is calling p11-kit in the apache case? Could it just ask for
P11_KIT_UNMANAGED modules? That would avoid the issue here, I think.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the p11-glue mailing list