Valve Asks Users to Disable SELinux to Play Portal 2, Linux Community Reacts

The developers have reconsidered the initial advice about SELinux

  Portal 2 running in a Linux system
Valve has recently released Portal 2 on Steam for Linux and opened a GitHub entry to gather all the bugs from the community. When one of the Valve developers closed a bug related to Portal 2 recommending that the users disable a security feature, the Linux community reacted.

Valve has recently released Portal 2 on Steam for Linux and opened a GitHub entry to gather all the bugs from the community. When one of the Valve developers closed a bug related to Portal 2 recommending that the users disable a security feature, the Linux community reacted.

Before releasing a stable version of a ported game on the Linux platform, Valve usually lets that title in the Beta stages and gathers bug reports from the community, usually on GitHub. This is just the case with Portal 2, and already the bug reports have started to pile up. The Valve developers have their work cut out ahead of them for some time to come.

One of the most interesting bugs related to Portal 2 is about a crash that is apparently caused by the game's interaction with SELinux. This is a Linux kernel module that deals with access control security policies.

If you never heard of SELinux, don't feel bad. It's not something that normal users usually interact with, and most of the time it's just going to do its job in the background, like any normal kernel module. The fact that this is a kernel module means that it's active all the time on the systems that are using it and that have it enabled.

Ubuntu and Debian uses Apparmor, which is a different solution, but Fedora for example, along with other similar distros, uses SELinux. Users who are trying to play Portal 2 on these platforms will experience crashes. This is what Valve developer David W. wrote on GitHub:

“To play Portal 2 you need to have SELinux disabled. Closing this out.”

Portal 2 uses a third-party MP3 decoder (Miles) which, in turn, uses execheap, a feature that is normally disabled by SELinux. execheap allows a program to map a part of the memory so that it is both writable and executable. This could be a problem if someone chose to use that memory section for buffer overflow attacks; that would eventually permit the hacker to gain access to the system by running code.

This is thankfully contained by the existing solutions, like SELinux, but asking users to disable a security feature on the Linux platform should not be a solution.

The blowback from the initial comment made by David W. has forced the developer to take the problem under advisement and to reopen the bug.

“I apologize for the mis-communication: Some underlying infrastructure our games rely on is incompatible with SELinux. We are hoping to correct this. Of course closing this bug isn't appropriate and I am re-opening it,” wrote David W. a couple of hours later.

This is more of an upstream problem for Valve. It's not something that they can fix directly, and most likely they will have to talk with the Miles developers and try to repair the problem from that direction.

We'll keep you apprised about any news about this particular Portal 2 SELinux bug.

22 Comments