James Morris (james_morris) wrote,
James Morris

SELinux workaround for Picasa

Many people will be trying out Google's Picasa under Linux. Unfortunately, there's no SELinux policy for the application yet, and Google have been advising people to disable SELinux on Fedora to run Picasa.

If affected, you do not need to disable SELinux.

A simple filesystem labeling workaround has been described in the following post:


# Set the executable module exception on *.so *.so.* and *.dll files

> find /opt/picasa -type f -iname '*.so' -o -iname '*.so.*' -o -iname '*.dll' -exec  chcon -t textrel_shlib_t {} \; 
It appears that some of the libraries they distribute require the execmod permission, which is not granted by default under SELinux. The above workaround above relabels the supplied libraries so that SELinux policy will consider them "safe" to perform operations constrained by the execmod permission. This in fact may be unsafe, although this workaround is certainly better than completely disabling SELinux.

You can read more about the details of execmod Ulrich Drepper's document SELinux Memory Protection Tests.

Based on Ulrich's commentary, it seems reasonable to assume that some element of the Picasa code being blocked by the SELinux policy needs to be reworked for security reasons. I'm not sure exactly which component(s) may be generating the policy violations, although it may of course be one of the third-party libraries. Ideally, we'll be able work with the Google and/or third party developers to get the issue resolved correctly.

If you have any further information on this, contact the Fedora SELinux developers via the Fedora SELinux mailing list.

  • All my talk slides are now on Slideshare

    I've uploaded the slides from essentially all of the talks I've given to Slideshare. This is likely more useful than my previous strategy of dumping…

  • SELinux for Humans

    I mean, SLUGs... Paul Wayper gave a couple of talks on SELinux at this weeks' SLUG meeting, and includes links to a couple of very useful slide…

  • Security subsystem changes in the 2.6.30 kernel

    Here's an update on the major changes to the kernel security subsystem for the 2.6.30 kernel. TOMOYO The TOMOYO security framework from NTT was…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 1 comment