Mike Hearn wrote:
On Tue, 10 May 2005 21:34:36 -0400, Ivan Gyurdiev wrote:Currently textrel_shlib_t == shlib_t == lib_t in targeted policy. That can and should
By the way, since you're involved with Codeweavers - does all of wine
require text relocations? If so, it needs to be marked textrel_shlib_t.
I'm not sure, I haven't examined the reasons we have text relocs in depth. Wines build system is complex, and I've not seen any documentation on what kind of things can trigger this. A hunch is maybe it's related to the embedded NT headers.
I should probably file a policy bug, because it doesn't work at all
under SELinux strict - I use wine quite a lot (games on Linux!), and it's annoying that I have to turn SELinux off all the time to make use of it.
I was wondering about that :) I couldn't quite figure out whether
the textrel thing was both targetted and strict or just strict:
seems like it's just strict <phew> :)
Marking libs as textrel_shlib_t should be done automatically by the patched install IMHO. We don't have any bugs filed on this in WineHQ/Codeweavers bugzilla so right now I guess not many people are trying to use strict on a desktop. But obviously if we can fix this easily then that'd be great.
probably change in the future as we tighten up security of the userspace with SELinux.
I would take a look at it. Mainly need a list of shared libraries and whether then need textrel support.Actually I was talking to Jeremy (White) about this the other day. We'd be happy to kick in a free copy of Crossover for SELinux developers if they were interested in testing things with it. I saw that Steven Smalley is testing new restrictions like execstack with programs like Java, Mozilla, OpenOffice etc: getting Wine/Crossover (they're virtually the same) into that list would be great.
But other issues will probably arise.
It's a little tricky because I guess most SELinux developers are running strict, but most of our customers/users are running targetted (or not running SELinux at all), so there's not much commercial pressure to fix problems that only affect strict. Whereas for instance in execshield we had to put a lot of work into supporting it :( Still it'd be nice to know in advance about these things, especially if bits of strict are going to migrate to targetted at some point.
They will, and they are.
thanks -mike
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
