libffi prevents p11-kit from being usable with selinux
nmav at redhat.com
Wed Sep 23 07:39:37 PDT 2015
On Wed, 2015-09-23 at 16:20 +0200, Stef Walter wrote:
> > I'm wondering, what if we treat a failure of libffi to initialize
> > the
> > same as when WITH_FFI is not defined? That way we wouldn't get all
> > features but the basic stuff that apache could work. What do you
> > think,
> > could that work? Does it worth a try?
> What is calling p11-kit in the apache case? Could it just ask for
> P11_KIT_UNMANAGED modules? That would avoid the issue here, I think.
Mainly via gnutls for mod_gnutls and engine_pkcs11 for nginx. None of
these have the option to load unmanaged modules.
The former uses p11-kit directly via
p11_kit_modules_load_and_initialize(). If that function would fallback
to unmanaged if managed (ffi) doesn't work it would solve the issue.
engine_pkcs11 on the other hand loads the proxy module if no specific
module is given. If one is given it load the module by itself.
A short term solution for engine_pkcs11 would be to add hooks to
applications to specify the module (though it may not be very feasible-
the nginx people have already rejected some improvement on pkcs11
support which used engine calls).
The longer term would be to rewrite it to use p11-kit instead of libp11.
More information about the p11-glue