danwalsh (![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small} danwalsh) wrote,@ 2006-06-13 13:56:00 |
|
google-earth and SELinux
Google released a new product called google-earth, it has a couple of SELinux problems.
One they build the libcrypto incorrectly. I tried to figure out how to report a bug to them, but to no avail.
At Red Hat we build the libcrypto library in openssl with the following qualifiers.
./Configure \
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
zlib no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa shared \
--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
-I%{_prefix}/kerberos/include -L%{_prefix}/kerberos/%{_lib} \
${sslarch}
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack"
make depend
make all build-shared
This eliminates the execstack flag on the shared library. Obviously google does not do this. If anyone
can figure out how to send in a bug report please do.
So this causes an execstack failure in Rawhide, or if you do not have the allow_execstack boolean set.
You can execute
execstack -c /usr/local/google-earth/libcrypto.so.0.9.8
To clear the flag and eliminate the problem.
This tool seems to use realplayer also which seems to require execmem, if you have the allow_execmem flag
turned off you can execute
chcon -t unconfined_execmem_exec_t /usr/local/RealPlayer/realplay.bin
So that it will be allowed to execmem.
I am updating policy to define this file context.
This allowed me to run google-earth with SELinux in enforcing mode. (Of course the application hung my XServer after a few minutes,
but I don't believe this was a SELinux problem. YMMV)
Google released a new product called google-earth, it has a couple of SELinux problems.
One they build the libcrypto incorrectly. I tried to figure out how to report a bug to them, but to no avail.
At Red Hat we build the libcrypto library in openssl with the following qualifiers.
./Configure \
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
zlib no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa shared \
--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
-I%{_prefix}/kerberos/include -L%{_prefix}/kerberos/%{_lib} \
${sslarch}
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack"
make depend
make all build-shared
This eliminates the execstack flag on the shared library. Obviously google does not do this. If anyone
can figure out how to send in a bug report please do.
So this causes an execstack failure in Rawhide, or if you do not have the allow_execstack boolean set.
You can execute
execstack -c /usr/local/google-earth/libcrypto.so.0.9.8
To clear the flag and eliminate the problem.
This tool seems to use realplayer also which seems to require execmem, if you have the allow_execmem flag
turned off you can execute
chcon -t unconfined_execmem_exec_t /usr/local/RealPlayer/realplay.bin
So that it will be allowed to execmem.
I am updating policy to define this file context.
This allowed me to run google-earth with SELinux in enforcing mode. (Of course the application hung my XServer after a few minutes,
but I don't believe this was a SELinux problem. YMMV)
