Untrusted content domain

Mike Hearn mike at navi.cx
Wed May 11 12:47:17 UTC 2005

On Tue, 10 May 2005 21:34:36 -0400, Ivan Gyurdiev wrote:
> By the way, since you're involved with Codeweavers - does all of wine
> require text relocations? If so, it needs to be marked textrel_shlib_t.

I'm not sure, I haven't examined the reasons we have text relocs in depth.
Wines build system is complex, and I've not seen any documentation on what
kind of things can trigger this. A hunch is maybe it's related to the
embedded NT headers.

> I should probably file a policy bug, because it doesn't work at all
> under SELinux strict - I use wine quite a lot (games on Linux!), 
> and it's annoying that I have to turn SELinux off all the 
> time to make use of it.

I was wondering about that :) I couldn't quite figure out whether
the textrel thing was both targetted and strict or just strict:
seems like it's just strict <phew> :) 

Marking libs as textrel_shlib_t should be done automatically by the
patched install IMHO. We don't have any bugs filed on this in
WineHQ/Codeweavers bugzilla so right now I guess not many people are
trying to use strict on a desktop. But obviously if we can fix this
easily then that'd be great.

Actually I was talking to Jeremy (White) about this the other day. We'd be
happy to kick in a free copy of Crossover for SELinux developers if they
were interested in testing things with it. I saw that Steven Smalley is
testing new restrictions like execstack with programs like Java, Mozilla,
OpenOffice etc: getting Wine/Crossover (they're virtually the same) into
that list would be great.

It's a little tricky because I guess most SELinux developers are running
strict, but most of our customers/users are running targetted (or not
running SELinux at all), so there's not much commercial pressure to fix
problems that only affect strict. Whereas for instance in execshield we
had to put a lot of work into supporting it :( Still it'd be nice to know
in advance about these things, especially if bits of strict are going to
migrate to targetted at some point.

thanks -mike

More information about the fedora-selinux-list mailing list