danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
Google Apps versus SELinux
danwalsh
How to make Google Apps work with SELinux ...

Google applications Picasa, GoogleEarth etc. tend to have several problems with SELinux.  I will explain what is happening and how you can make them work.

1.  Google is shipping shared libraries that are not Position Independent Code (PIC) enabled.  SELinux does not like these libraries.  Ulrich Drepper explains the execmod access.  Google should be compiling their libraries with -fPIC.  Google might have Windows code in the libraries that causes the execmod access to be required no matter what.  SELinux provides the textrel_shlib_t label type which tells SELinux to allow the execmod access on  any library with this type.   Another option; if you decide that execmod is not something to worry about, you can turn off the check altogether by executing:
# setsebool -P allow_execmod 1
.
SELinux has most of the labelling setup for the most common places Google installs their libraries, but ...

2. Google does not ship their packages in RPM format.  RPM is SELinux aware, meaning all files within the RPM payload automatically get the correct label. Google ships their applications as compressed tar balls or with some home grown install shell and does not put down the correct labels.  Google could add a restorecon to their installs and then most people would not be seeing these problems. Hint, Hint.   Users should execute restorecon following Google installs to correct the labels.

# restorecon -R -v /opt

3. Google likes to use Wine.  I imagine they do this rather then rewriting applications in a native format or using some portable language.  Wine and Windows applications have a couple of problems on SELinux.  The shared libraries shipped with Wine applications (dll), tend to need the execmod access.  Worse then this, some wine applications require mmap_min_addr protection causing a  mmap_zero AVC denial.  Eric Paris describes the risk of the mmap_zero.  mmap_zero is considered very dangerous and SELinux tries to protect against this attack.  But if you want to allow wine applications to run that require this permission, you can turn off the check
# setsebool -P mmap_low_allowed 1

In some cases the Google Application could be running fine, but the SELinux system is still complaining about mmap_zero.  You can turn off the reporting of these errors by executing

# setsebool -P wine_mmap_zero_ignore 1

The Chrome Web browser that is is packaged by Tom "spot" Callaway, works well with SELinux.  We have even strengthened their chrome-sandbox with SELinux controls and worked with the developer to make their sandbox as controlled as possible.




You are viewing danwalsh