I've been asked by FESCo to post this public service announcement :)
We'd just like to remind those who test Fedora, in whatever way...running a stable release with updates-testing, running Rawhide, being a proven tester (especially)...that it's best if you test with SELinux enabled and enforcing. This is the default configuration of Fedora, so we need testers to be running with this configuration so we don't miss problems that show up when SELinux is running.
For proven testers, I actually added a section about this to the instructions recently - https://fedoraproject.org/wiki/Proven_tester#Testing_process .
We recognize there may be situations when SELinux causes problems and you need to make it permissive or turn it off temporarily, but please try and keep it turned on if you possibly can, and if you're in a situation where you need to disable it, please let the developers know by filing a bug, so they can fix it and you can turn it back on. Thanks a lot!
We recognize there may be situations when SELinux causes problems and you need to make it permissive or turn it off temporarily, but please try and keep it turned on if you possibly can, and if you're in a situation where you need to disable it, please let the developers know by filing a bug, so they can fix it and you can turn it back on. Thanks a lot!
How sincere is this offer, because I can think of a few use cases that make a lot of work for anyone wanting to keep SELinux. These are realistic use cases that people in the real world will want to follow, that I follow every time I install Fedora. But I have given up providing feedback because the response is usually more like 'you shouldn't do that because it doesn't fit in with the SELinux way' rather than 'we can change SELinux to let you do that securely by XXX'
The use cases in case anyone's interested: Install Picasa3 (which uses its own wine version*) and install Spotify (for Windows) using the 'native' Wine.
*Google recommends turning off SELinux
On 07/30/2010 12:47 PM, Camilo Mesias wrote:
The use cases in case anyone's interested: Install Picasa3 (which uses its own wine version*) and install Spotify (for Windows) using the 'native' Wine.
*Google recommends turning off SELinux
These are proprietary software outside the Fedora repository and cannot be fixed by anyone except the vendor. However there is a workaround:
restorecon -R -v /opt
If there are other issues, especially for software in the Fedora repository, do file bug reports.
Rahul
fre 2010-07-30 klockan 12:51 +0530 skrev Rahul Sundaram:
On 07/30/2010 12:47 PM, Camilo Mesias wrote:
The use cases in case anyone's interested: Install Picasa3 (which uses its own wine version*)
It's winelib, not wine, right?
*Google recommends turning off SELinux
These are proprietary software outside the Fedora repository and cannot be fixed by anyone except the vendor. However there is a workaround:
restorecon -R -v /opt
If a non-SELinux aware application installs itself in /opt, shouldn't it get the default labels by, eh, default?
/Alexander
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/30/2010 04:51 AM, Alexander Boström wrote:
fre 2010-07-30 klockan 12:51 +0530 skrev Rahul Sundaram:
On 07/30/2010 12:47 PM, Camilo Mesias wrote:
The use cases in case anyone's interested: Install Picasa3 (which uses its own wine version*)
It's winelib, not wine, right?
*Google recommends turning off SELinux
These are proprietary software outside the Fedora repository and cannot be fixed by anyone except the vendor. However there is a workaround:
restorecon -R -v /opt
If a non-SELinux aware application installs itself in /opt, shouldn't it get the default labels by, eh, default?
/Alexander
I decided to respond to these emails about Google Applications in a blog entry
http://danwalsh.livejournal.com/37067.html
On Fri, Jul 30, 2010 at 09:51:05 -0400, Daniel J Walsh dwalsh@redhat.com wrote:
I decided to respond to these emails about Google Applications in a blog entry
The link to Drepper's stuff should be: http://people.redhat.com/drepper/selinux-mem.html
Your link has a ~ and a trailing space.
On 07/30/2010 09:51 AM, Daniel J Walsh wrote:
I decided to respond to these emails about Google Applications in a blog entry
Thanks for addressing this. Specifically about the mmap_zero problem, is there a way to set mmap_low_allowed only for this single app running under wine, or does it have to be a system-wide Wine setting? I think it's the latter.
Since Wine is just a platform to run other programs, the real question here is 'is it in general safe to enable this', and you seem to imply that there _are_ serious security consequences. I was concerned myself and I haven't enabled it on my system.
OK, an update. I reinstalled F13, added Picasa 3 from the Google repo. It does run although it triggers tens of SELinux alerts about mmap_zero on "unknown".
The messages are pretty confusing really, they are complaining about "unknown", They say I need to change booleans to allow the access and give the command to change mmap_low_allowed. But there is no mention of the more appropriate sounding wine_mmap_zero_ignore boolean that is mentioned on Dan's blog... Apart from that the corner of the troubleshoot browser shows "Error while checking policy version". It does all look a bit suspicious!
I don't want to enable mmap_low just yet as it sounds like there might be a better option. But I don't want to set the boolean to ignore the alerts. For all I know there might be some feature of Picasa that I haven't tried yet that requires mmap_low to be enabled - I will keep an eye open for crashes and bad behaviour. I think I will have to live with the ever growing list of alerts while it isn't clear what action to take for the best..
There is a problem with Picasa3 that prevents signing in to web albums... I found a hacky fix which involves copying wineinet.dll.so from the system wine over the Google one. That enables web album access. I take it this bug is well and truly in the Google domain.
Out of interest I ran the restorecon command with -n to see what it would have changed and there was very little:
# restorecon -nRv /opt restorecon reset /opt/google/picasa/3.0/wine/lib/wine/google-wininet.dll.so context unconfined_u:object_r:lib_t:s0->system_u:object_r:textrel_shlib_t:s0 restorecon reset /opt/google/picasa/3.0/wine/drive_c/Program Files/Google/Picasa3/runtime/distro.ini context unconfined_u:object_r:rpm_script_tmp_t:s0->system_u:object_r:usr_t:s0
Next I ran the Spotify installer and saw more alerts. The browser suggested the boolean solution again. When running the spotify binary I got another alert that suggested chcon -t textrel_shlib_t on the spotify.exe file. Yet Spotify seemed to work even without this. Again I'm not sure what to do for the best.
-Cam
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/30/2010 08:22 PM, Camilo Mesias wrote:
OK, an update. I reinstalled F13, added Picasa 3 from the Google repo. It does run although it triggers tens of SELinux alerts about mmap_zero on "unknown".
The messages are pretty confusing really, they are complaining about "unknown", They say I need to change booleans to allow the access and give the command to change mmap_low_allowed. But there is no mention of the more appropriate sounding wine_mmap_zero_ignore boolean that is mentioned on Dan's blog... Apart from that the corner of the troubleshoot browser shows "Error while checking policy version". It does all look a bit suspicious!
I don't want to enable mmap_low just yet as it sounds like there might be a better option. But I don't want to set the boolean to ignore the alerts. For all I know there might be some feature of Picasa that I haven't tried yet that requires mmap_low to be enabled - I will keep an eye open for crashes and bad behaviour. I think I will have to live with the ever growing list of alerts while it isn't clear what action to take for the best..
Are the alerts being caught as duplicates.
There is a problem with Picasa3 that prevents signing in to web albums... I found a hacky fix which involves copying wineinet.dll.so from the system wine over the Google one. That enables web album access. I take it this bug is well and truly in the Google domain.
Out of interest I ran the restorecon command with -n to see what it would have changed and there was very little:
# restorecon -nRv /opt restorecon reset /opt/google/picasa/3.0/wine/lib/wine/google-wininet.dll.so context unconfined_u:object_r:lib_t:s0->system_u:object_r:textrel_shlib_t:s0 restorecon reset /opt/google/picasa/3.0/wine/drive_c/Program Files/Google/Picasa3/runtime/distro.ini context unconfined_u:object_r:rpm_script_tmp_t:s0->system_u:object_r:usr_t:s0
I would make these changes.
Next I ran the Spotify installer and saw more alerts. The browser suggested the boolean solution again. When running the spotify binary I got another alert that suggested chcon -t textrel_shlib_t on the spotify.exe file. Yet Spotify seemed to work even without this. Again I'm not sure what to do for the best.
-Cam
Please mail me the setroubleshoot output. I will look into fixing its output.
On 07/30/2010 08:17 AM, Camilo Mesias wrote:
We recognize there may be situations when SELinux causes problems and you need to make it permissive or turn it off temporarily, but please try and keep it turned on if you possibly can, and if you're in a situation where you need to disable it, please let the developers know by filing a bug, so they can fix it and you can turn it back on. Thanks a lot!
How sincere is this offer, because I can think of a few use cases that make a lot of work for anyone wanting to keep SELinux. These are realistic use cases that people in the real world will want to follow, that I follow every time I install Fedora. But I have given up providing feedback because the response is usually more like 'you shouldn't do that because it doesn't fit in with the SELinux way' rather than 'we can change SELinux to let you do that securely by XXX'
SELinux is very configurable, and its various protections can be turned on and off for each individual case. Google code seems to have odd bugs: Google Earth, in particular, has libraries that haven't been compiled as position-independent code, leading to the need to set special attributes on its libraries. This can be fixed by changing the attributes on those libraries, once you know how.
There are not many cases (well, none, AFAIK) where it's actually necessary to turn off SELinux altogether.
The use cases in case anyone's interested: Install Picasa3 (which uses its own wine version*) and install Spotify (for Windows) using the 'native' Wine.
I might have a look at Picasa3.
*Google recommends turning off SELinux
Google is a pretty big company, and I suspect that some of its employess would be unimpressed by this advice.
Andrew.
Andrew,
SELinux is very configurable, and its various protections can be turned on and off for each individual case.
That's interesting, I think the last problem I ran into was having to set a boolean to get Picasa3 to run. This wasn't the whole fix, just one step. I was under the impression that my choice would affect the whole system. I would have preferred to make that setting just for Picasa3 (not even just for Wine). I started a BZ report 527147 once along similar lines.
In fact I think the ideal user experience would be more along the lines of...
User-> installs Picasa3 using yum and the google testing repo User-> runs Picasa3 Fedora-> SELinux violation, 'picasa' is trying to mmap_low and this is a security risk. Please choose (a) disallow this every time (the safe option) (b) allow it this time only, ask next time (c) allow this every time
The user can then make a choice without making wide reaching changes to security. Bear in mind a user might well try something like this only to decide to use another program instead (shotwell?) and it would be a shame to leave behind SELinux config after the program is uninstalled.
I am quite tempted to reinstall sometime and try the restorecon -R -v /opt to see if it works, and make a flurry of BZ entries for everything else SELinux related as I install Spotify and Picasa3. Everything else works so well in F13 I think there's just a short way to go to bring SELinux to the same level.
-Cam
Hi,
On 07/30/2010 01:12 PM, Camilo Mesias wrote:
SELinux is very configurable, and its various protections can be turned on and off for each individual case.
That's interesting, I think the last problem I ran into was having to set a boolean to get Picasa3 to run. This wasn't the whole fix, just one step. I was under the impression that my choice would affect the whole system.
That seems to be true.
I would have preferred to make that setting just for Picasa3 (not even just for Wine). I started a BZ report 527147 once along similar lines.
The trouble is that there is so much bad advice about.
Dan Walsh's blog at http://danwalsh.livejournal.com/37067.html explains what's needed.
In fact I think the ideal user experience would be more along the lines of...
User-> installs Picasa3 using yum and the google testing repo User-> runs Picasa3 Fedora-> SELinux violation, 'picasa' is trying to mmap_low and this is a security risk. Please choose (a) disallow this every time (the safe option) (b) allow it this time only, ask next time (c) allow this every time
The user can then make a choice without making wide reaching changes to security. Bear in mind a user might well try something like this only to decide to use another program instead (shotwell?) and it would be a shame to leave behind SELinux config after the program is uninstalled.
That would be nice.
What would be really nice is if you would attach this reply to Dan Walsh's blog. I want to know what he says! :-)
I am quite tempted to reinstall sometime and try the restorecon -R -v /opt to see if it works, and make a flurry of BZ entries for everything else SELinux related as I install Spotify and Picasa3. Everything else works so well in F13 I think there's just a short way to go to bring SELinux to the same level.
As I said on-list, Picasa works for me out of the box.
Andrew.
On 07/30/2010 09:45 AM, Andrew Haley wrote:
The use cases in case anyone's interested: Install Picasa3 (which uses its own wine version*) and install Spotify (for Windows) using the 'native' Wine.
I might have a look at Picasa3.
I just installed it from http://dl.google.com/linux/rpm/testing/i386/picasa-3.0-current.i386.rpm and it seems to work perfectly on F12.
Andrew.
-
Adam Williamson -
Alexander Boström -
Andrew Haley -
Bruno Wolff III -
Camilo Mesias -
Daniel J Walsh -
Przemek Klosowski -
Rahul Sundaram