Untrusted content domain

Ivan Gyurdiev ivg2 at cornell.edu
Wed May 11 17:49:24 UTC 2005

(sorry for resend - incorrect recipient)

On Wed, 2005-05-11 at 18:25 +0100, Mike Hearn wrote:
> On Wed, 2005-05-11 at 12:56 -0400, Ivan Gyurdiev wrote:
> > However, they are not marked as such - Daniel, perhaps 
> > /usr(/local)?/lib/wine/.*\.so   --      textrel_shlib_t 
> > should be added?
> That is a bit hacky. I personally install Wine to /opt/wine and
> Crossover can go anywhere. I think it'd be better to adjust the Wine
> build system to label them correctly.

That's not how SELinux works right now - labeling decisions 
are centralized in the policy. I'm not sure why it's done that way - 
perhaps it's because the policy sources are also centralized.

(cc-ed Stephen Smalley - maybe he can explain)

If you label wine in the build system, and later I run restorecon, which
brings the system permissions in sync with what the file_contexts file
says, it will restore the permissions back to what the policy thinks
they should be.

> > On the other hand, if wine doesn't need text relocations, it
> > would be better if it was compiled without them.
> I have no idea why they're there, like I said, there's no documentation
> I could find on what causes the toolchain to produce them. How do you go
> about getting rid of them? They're compiled with -fPIC already.

Not sure about that - my guesses run out with fPIC...

Ivan Gyurdiev <ivg2 at cornell.edu>
Cornell University

More information about the fedora-selinux-list mailing list