Untrusted content domain

Daniel J Walsh dwalsh at redhat.com
Wed May 11 14:21:07 UTC 2005 

Mike Hearn wrote:

>On Tue, 10 May 2005 21:34:36 -0400, Ivan Gyurdiev wrote:
>  
>
>>By the way, since you're involved with Codeweavers - does all of wine
>>require text relocations? If so, it needs to be marked textrel_shlib_t.
>>    
>>
>
>I'm not sure, I haven't examined the reasons we have text relocs in depth.
>Wines build system is complex, and I've not seen any documentation on what
>kind of things can trigger this. A hunch is maybe it's related to the
>embedded NT headers.
>
>  
>
>>I should probably file a policy bug, because it doesn't work at all
>>under SELinux strict - I use wine quite a lot (games on Linux!), 
>>and it's annoying that I have to turn SELinux off all the 
>>time to make use of it.
>>    
>>
>
>I was wondering about that :) I couldn't quite figure out whether
>the textrel thing was both targetted and strict or just strict:
>seems like it's just strict <phew> :) 
>
>Marking libs as textrel_shlib_t should be done automatically by the
>patched install IMHO. We don't have any bugs filed on this in
>WineHQ/Codeweavers bugzilla so right now I guess not many people are
>trying to use strict on a desktop. But obviously if we can fix this
>easily then that'd be great.
>
>  
>
Currently textrel_shlib_t == shlib_t == lib_t in targeted policy.   That 
can and should
probably change in the future as we tighten up security of the userspace 
with SELinux.

>Actually I was talking to Jeremy (White) about this the other day. We'd be
>happy to kick in a free copy of Crossover for SELinux developers if they
>were interested in testing things with it. I saw that Steven Smalley is
>testing new restrictions like execstack with programs like Java, Mozilla,
>OpenOffice etc: getting Wine/Crossover (they're virtually the same) into
>that list would be great.
>
>  
>
I would take a look at it.  Mainly need a list of shared libraries and 
whether then need textrel support.
But other issues will probably arise. 

>It's a little tricky because I guess most SELinux developers are running
>strict, but most of our customers/users are running targetted (or not
>running SELinux at all), so there's not much commercial pressure to fix
>problems that only affect strict. Whereas for instance in execshield we
>had to put a lot of work into supporting it :( Still it'd be nice to know
>in advance about these things, especially if bits of strict are going to
>migrate to targetted at some point.
>
>  
>
They will, and they are.

>thanks -mike
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>


--

More information about the selinux mailing list