Dan Walsh's Blog

Got SELinux?

Previous Entry Add to Memories Share Next Entry
google-earth and SELinux
Google released a new product called google-earth, it has a couple of SELinux problems.

One they build the libcrypto incorrectly.  I tried to figure out how to report a bug to them, but to no avail.

At Red Hat we build the libcrypto library in openssl with the following qualifiers.

./Configure \
        --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
        zlib no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa shared \
        --with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
        -I%{_prefix}/kerberos/include -L%{_prefix}/kerberos/%{_lib} \

# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack"
make depend
make all build-shared

This eliminates the execstack flag on the shared library.  Obviously google does not do this.  If anyone
can figure out how to send in a bug report please do.

So this causes an execstack failure in Rawhide, or if you do not have the allow_execstack boolean set.

You  can execute

execstack -c /usr/local/google-earth/libcrypto.so.0.9.8

To clear the flag and eliminate the problem.

This tool seems to use realplayer also which seems to require execmem, if you have the allow_execmem flag
turned off you can execute 
chcon -t unconfined_execmem_exec_t /usr/local/RealPlayer/realplay.bin

So that it will be allowed to execmem.

I am updating policy to define this file context.

This allowed me to run google-earth with SELinux in enforcing mode.  (Of course the application hung my XServer after a few minutes,
but I don't believe this was a SELinux problem. YMMV)

/usr/local/RealPlayer/realplay.bin is the binary


2006-06-13 07:19 pm (UTC)

Note that "/usr/local/RealPlayer/realplay" is just a shell script. Wouldn't you want to set "/usr/local/RealPlayer/realplay.bin" to "unconfined_execmem_exec_t" instead? Or are you counting on the type to be inherited at fork?

No HTML allowed in subject


(will be screened)

You are viewing danwalsh