strict policy problem

Stephen Smalley sds at tycho.nsa.gov
Wed Oct 5 19:56:53 UTC 2005


On Tue, 2005-10-04 at 17:04 -0400, Richard Hally wrote:
> Perhaps it would be appropriate to reevaluate the implementation
> strategy for this particular "feature" of SELinux.
> 
> If there is no coherent, concise, convincing explanation provided to the 
> people who need to make changes to their software to conform to the 
> requirements of this "feature" then there isn't much hope of them doing 
> what is required. Since this "feature" was implemented many months ago 
> and these problems are still appearing please consider filing bugs with 
> the appropriate explanation so that the appropriate people can make the 
> required changes.

Hi,

I think all you need to do is file a bugzilla against firefox and report
what you reported originally, and note that these .so's have text
relocations.  Then it is up to the maintainer for that package (and
ultimately the upstream developers) to address the issue.  The notion
that text relocations are bad isn't something novel to SELinux by any
means.  We simply added controls to SELinux over the resulting attempt
to modify the memory protections at the suggestion of the Red Hat
developers so that this can be controlled by policy.

You can also bugzilla policy if you like so that the permissions can be
added in the short term until the package is fixed.

This is no different than any other bug you might encounter in a
particular package; when you find the bug, file it against the package.
The policy can certainly workaround it in the short term, but that
doesn't improve security; it just permits the status quo.
  
-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list