Delay import of psutil to avoid AVC

Commit cfad7af35d added a check to ensure a system has sufficient amount of memory. The feature uses psutil to get available memory. On import psutil opens files in /proc which can result in an SELinux violations and Python exception. PermissionError: [Errno 13] Permission denied: '/proc/stat' Fixes: https://pagure.io/freeipa/issue/8512 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-09-23 08:46:44 +02:00
parent 9f9dcfe88a
commit 80fca8d701
3 changed files with 6 additions and 3 deletions
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -29,7 +29,6 @@ import ldif
 import os
 import re
 import fileinput
-import psutil
 import sys
 import tempfile
 import shutil
@@ -1035,6 +1034,9 @@ def check_available_memory(ca=False):
                "Unable to determine the amount of available RAM"
            )
    else:
+        # delay import of psutil. On import it opens files in /proc and
+        # can trigger a SELinux violation.
+        import psutil
        available = psutil.virtual_memory().available
    logger.debug("Available memory is %sB", available)
    if available < minimum_suggested: