So, I have a FUSE filesystem for the home directory of one of the users on my computer, and launching chromium-browser and some other programs who had data directories in the FUSE filesystem failed to launch.
Learning about SELinux
It appears that generally only the mounting user can see the mounted filesystem, so I wondered whether that was part of the problem, but testing chromium-browser on a test /tmp/ directory with permissions 700 still worked. I then tried the regular thing, and checked if it was SELinux. It's always SELinux. Indeed, briefly setting setenforce 0 allowed chromium-browser to launch. Obviously that's not a real solution; it's like taking the battery out of a beeping smoke alarm.
Recently on Google+ I perused a thread on SELinux linked to stopdisablingselinux.com, which leads to a 52 minute RedHat video on how to properly use it. While I feel that 52 minutes is a bit long to convince the average user, I'd like to better understand SELinux, so I watched it.
I recommend watching it if you're curious about how to work with SELinux because it was pretty clear and crisp. Types, labels, policies and useful commands.
auditd, audit.log not updating?
Now, I'll confess that I've known there's been something amiss with my configuration, in that, for a while (since upgrading to Fedora 16!), I have not seen any sealerts. I've confirmed that SELinux was operating and haven't had the time to diagnose the problem further. At first I thought that sealerts were no longer being displayed by intent, but then a Fedora 18 Live USB key started displaying some. With my new knowledge, I solved two problems in one day.
To find out what was going on with fuse and chromium-browser, I manually checked /var/log/audit/audit.log to discover that it had not been updated since November 2011! I checked to see whether auditd was running using systemctl and ps, and it was not. It probably hasn't started since that upgrade. Probably systemd-migration related. Referring to the Fedora 18 security manual, the solution to this was simple, /sbin/chkconfig --levels 2345 auditd on, so it will usually start, and systemctl start auditd.service, so it would start right now.
Using FUSE file systems as home directories
Then, I tested chromium-browser again, sometimes starting with its user-data-dir in the FUSE filesystem, other times in /tmp/, and the problem I was encountering was this:
type=ANOM_ABEND msg=audit(1371441397.452:21): auid=504 uid=504 gid=504 ses=2 subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1044 pid=21858 comm="chromium-browse" reason="memory violation" sig=11
Sadly, setroubleshootd couldn't offer any solutions to this, so I googled ANOM_ABEND and "memory violation" and fuse, and discovered the boolean use_fusefs_home_dirs. There weren't many search results, but this was enough. Using setsebool use_fusefs_home_dirs 1 allowed chromium-browser and others to run normally. Hooray!
Concluding Thoughts
Upgrading and migrating settings and customisation
So, two thoughts: Fedora and Linux distributions in general often have problems when upgrading. Fedora used to (still does?) advise that you install through Anaconda, and I think I was supposed to install a clean system. I don't think that's very user friendly, having to burn ISOs, and feel like it should happen in place managed by software (not during a user session, of course). Eventually preupgrade came along, and eventually it become acceptable. Still, though, upgrades often end up with subtly broken configuration. gnome-documents was supposed to be notable in one upgrade, but I had to manually install it, because the upgrade didn't add it as a new package for the new release. Worse than system configuration breaking (like auditd's autostarting at boot) might be user configuration for apps changing and rarely is any migration offered. I have config files that are many years old that are no longer used and just sit there, or contain now invalid configuration. There are stale gconf keys. One solution is to start fresh and copy over data, but then it's a pain re-onfiguring all my favourite apps, and I might not know what customisations I've lost. One solution is to reduce the amount of customisation that is allowed, so you don't have to support complex migrations later, and I feel like that's the current trend. I think I'd like a standardised settings and migration standard. I suppose GSettings and dconf helps deal with a class of settings within GNOME applications, but of course many tools are not GNOME, and even many GNOME applications store data in ~/.config/. Ah well. At least awareness and familiarity with my system (a luxury) helps me avoid anything catastrophic, though not so much, as I haven't had time to fix my SELinux logging for over a year.
User feedback from security applications
SELinux is getting better, with sealert and setroubleshoot, but it and the firewall have some issues in offering feedback to users. Even with auditd and the other tools, SELinux wasn't able to indicate to me that use_fusefs_home_dirs set to 0 was preventing my browser from running. It's the type of feedback that would be nice to save me an hour of my day. I've seen many neat features appear in applications, using mDNS networking and Avahi, that "mysteriously" don't work, and in reality it's because the firewall silently blocks it. Promoting features in applications that can't work out-of-the-box and where the user can't readily know why it isn't working is sad. Perhaps developers are afraid of the syndrome where you present security information to a user and then they blindly click "allow" to everything, no matter how dangerous or malicious. Is that better or worse than googling and reading in a dozen forums the solution of "disable the firewall" or "disable SELinux" for people who can't be bothered (time is precious) to understand and crisply fix their problem.
Keine Kommentare:
Kommentar veröffentlichen