You are viewing james_morris

James Morris - SELinux workaround for Picasa
May 27th, 2006
02:09 am

[Link]

Previous Entry Add to Memories Share Next Entry
SELinux workaround for Picasa
Many people will be trying out Google's Picasa under Linux. Unfortunately, there's no SELinux policy for the application yet, and Google have been advising people to disable SELinux on Fedora to run Picasa.

If affected, you do not need to disable SELinux.

A simple filesystem labeling workaround has been described in the following post:

http://groups.google.com/group/Google-Labs-Picasa-for-Linux/msg/06f6a1465a712dbc

# Set the executable module exception on *.so *.so.* and *.dll files

> find /opt/picasa -type f -iname '*.so' -o -iname '*.so.*' -o -iname '*.dll' -exec  chcon -t textrel_shlib_t {} \; 
It appears that some of the libraries they distribute require the execmod permission, which is not granted by default under SELinux. The above workaround above relabels the supplied libraries so that SELinux policy will consider them "safe" to perform operations constrained by the execmod permission. This in fact may be unsafe, although this workaround is certainly better than completely disabling SELinux.

You can read more about the details of execmod Ulrich Drepper's document SELinux Memory Protection Tests.

Based on Ulrich's commentary, it seems reasonable to assume that some element of the Picasa code being blocked by the SELinux policy needs to be reworked for security reasons. I'm not sure exactly which component(s) may be generating the policy violations, although it may of course be one of the third-party libraries. Ideally, we'll be able work with the Google and/or third party developers to get the issue resolved correctly.

If you have any further information on this, contact the Fedora SELinux developers via the Fedora SELinux mailing list.

(1 comment | Leave a comment)

Comments
 
From:(Anonymous)
Date:May 28th, 2006 09:04 am (UTC)

Wine needs execmod

(Link)
AFAIK it is because picasa for Linux has an included build of wine to run (they didn't port it to Linux, they just stuck wine on the backend) and wine requires execmod.

James Morris Powered by LiveJournal.com