2013-06-17

[Technology] SELinux and audit.log not updating

Disclaimer: I am neither a FUSE nor an SELinux expert 

So, I have a FUSE filesystem for the home directory of one of the users on my computer, and launching chromium-browser and some other programs who had data directories in the FUSE filesystem failed to launch.


Learning about SELinux


It appears that generally only the mounting user can see the mounted filesystem, so I wondered whether that was part of the problem, but testing chromium-browser on a test /tmp/ directory with permissions 700 still worked.  I then tried the regular thing, and checked if it was SELinux.  It's always SELinux.  Indeed, briefly setting setenforce 0 allowed chromium-browser to launch.  Obviously that's not a real solution; it's like taking the battery out of a beeping smoke alarm.



Recently on Google+ I perused a thread on SELinux linked to stopdisablingselinux.com, which leads to a 52 minute RedHat video on how to properly use it.  While I feel that 52 minutes is a bit long to convince the average user, I'd like to better understand SELinux, so I watched it. 



I recommend watching it if you're curious about how to work with SELinux because it was pretty clear and crisp.  Types, labels, policies and useful commands.


auditd, audit.log not updating?




Now, I'll confess that I've known there's been something amiss with my configuration, in that, for a while (since upgrading to Fedora 16!), I have not seen any sealerts.  I've confirmed that SELinux was operating and haven't had the time to diagnose the problem further.  At first I thought that sealerts were no longer being displayed by intent, but then a Fedora 18 Live USB key started displaying some.   With my new knowledge, I solved two problems in one day.



To find out what was going on with fuse and chromium-browser, I manually checked /var/log/audit/audit.log to discover that it had not been updated since November 2011!   I checked to see whether auditd was running using systemctl and ps, and it was not.  It probably hasn't started since that upgrade.  Probably systemd-migration related.  Referring to the Fedora 18 security manual, the solution to this was simple, /sbin/chkconfig --levels 2345 auditd on, so it will usually start, and systemctl start auditd.service, so it would start right now. 


Using FUSE file systems as home directories


Then, I tested chromium-browser again, sometimes starting with its user-data-dir in the FUSE filesystem, other times in /tmp/, and the problem I was encountering was this:

type=ANOM_ABEND msg=audit(1371441397.452:21): auid=504 uid=504 gid=504 ses=2 subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1044 pid=21858 comm="chromium-browse" reason="memory violation" sig=11



Sadly, setroubleshootd couldn't offer any solutions to this, so I googled ANOM_ABEND and "memory violation" and fuse, and discovered the boolean use_fusefs_home_dirs.  There weren't many search results, but this was enough.  Using setsebool use_fusefs_home_dirs 1 allowed chromium-browser and others to run normally.  Hooray!


Concluding Thoughts


Upgrading and migrating settings and customisation

 

So, two thoughts: Fedora and Linux distributions in general often have problems when upgrading.  Fedora used to (still does?) advise that you install through Anaconda, and I think I was supposed to install a clean system.  I don't think that's very user friendly, having to burn ISOs, and feel like it should happen in place managed by software (not during a user session, of course).  Eventually preupgrade came along, and eventually it become acceptable.  Still, though, upgrades often end up with subtly broken configuration.  gnome-documents was supposed to be notable in one upgrade, but I had to manually install it, because the upgrade didn't add it as a new package for the new release.  Worse than system configuration breaking (like auditd's autostarting at boot) might be user configuration for apps changing and rarely is any migration offered.  I have config files that are many years old that are no longer used and just sit there, or contain now invalid configuration.   There are stale gconf keys.  One solution is to start fresh and copy over data, but then it's a pain re-onfiguring all my favourite apps, and I might not know what customisations I've lost.  One solution is to reduce the amount of customisation that is allowed, so you don't have to support complex migrations later, and I feel like that's the current trend.  I think I'd like a standardised settings and migration standard.  I suppose GSettings and dconf helps deal with a class of settings within GNOME applications, but of course many tools are not GNOME, and even many GNOME applications store data in ~/.config/.  Ah well.  At least awareness and familiarity with my system (a luxury) helps me avoid anything catastrophic, though not so much, as I haven't had time to fix my SELinux logging for over a year.



User feedback from security applications



SELinux is getting better, with sealert and setroubleshoot, but it and the firewall have some issues in offering feedback to users.  Even with auditd and the other tools, SELinux wasn't able to indicate to me that use_fusefs_home_dirs set to 0 was preventing my browser from running.  It's the type of feedback that would be nice to save me an hour of my day.  I've seen many neat features appear in applications, using mDNS networking and Avahi, that "mysteriously" don't work, and in reality it's because the firewall silently blocks it.  Promoting features in applications that can't work out-of-the-box and where the user can't readily know why it isn't working is sad.   Perhaps developers are afraid of the syndrome where you present security information to a user and then they blindly click "allow" to everything, no matter how dangerous or malicious.  Is that better or worse than googling and reading in a dozen forums the solution of "disable the firewall" or "disable SELinux" for people who can't be bothered (time is precious) to understand and crisply fix their problem.

Keine Kommentare:

Kommentar veröffentlichen

Dieses Blog durchsuchen

Labels

#Technology #GNOME gnome gxml fedora bugs linux vala google #General firefox security gsoc GUADEC android bug xml fedora 18 javascript libxml2 programming web blogger encryption fedora 17 gdom git emacs libgdata memory mozilla open source serialisation upgrade web development API Spain containers design evolution fedora 16 fedora 20 fedora 22 fedup file systems friends future glib gnome shell internet luks music performance phone photos php podman preupgrade tablet testing typescript yum #Microblog Network Manager adb apache art automation bash brno catastrophe css data loss debian debugging deja-dup disaster docker emusic errors ext4 facebook fedora 19 gee gir gitlab gitorious gmail gobject google talk google+ html libxml mail microsoft mtp mysql namespaces nautilus nextcloud owncloud picasaweb pitivi ptp python raspberry pi resizing rpm school selinux signal sms speech dispatcher systemd technology texting time management uoguelph usability video web design youtube #Tech Air Canada C Electron Element Empathy Europe GError GNOME 3 GNOME Files Go Google Play Music Grimes IRC Mac OS X Mario Kart Memento Nintendo Nintendo Switch PEAP Selenium Splatoon UI VPN Xiki accessibility advertising ai albums anaconda anonymity apple ask asus eee top automake autonomous automobiles b43 backup battery berlin bit rot broadcom browsers browsing canada canadian english cars chrome clarity comments communication compiler complaints computer computers configuration console constructive criticism cron cropping customisation dataloss dconf debug symbols design patterns desktop summit development discoverability distribution diy dnf documentation drm duplicity e-mail efficiency email english environment estate experimenting ext3 fedora 11 festival file formats firejail flac flatpak forgottotagit freedom friendship fuse galaxy nexus galton gay rights gdb german germany gimp gio gjs gnome software gnome-control-center google assistant google calendar google chrome google hangouts google reader gqe graphviz growth gtest gtg gtk gvfs gvfs metadata hard drive hard drives hardware help hp humour ide identity instagram installation instant messaging integration intel interactivity introspection jabber java java 13 jobs kernel keyboard language language servers languages law learning lenovo letsencrypt libreoffice librpm life livecd liveusb login lsp macbook maintainership mariadb mario matrix memory leaks messaging mounting mouse netflix new zealand node nodelist numix obama oci ogg oggenc oh the humanity open open standards openoffice optimisation org-mode organisation package management packagekit paint shedding parallelism pdo perl pipelight privacy productivity progress progressive web apps pumpkin pwa pyright quality recursion redhat refactoring repairs report rhythmbox sandboxes scheduling screenshots self-navigating car shell sleep smartphones software software engineering speed sql ssd synergy tabs test tests themes thesis tracker travel triumf turtles tv tweak twist typing university update usb user experience valadoc video editing volunteering vpnc waf warm wayland weather web apps website wifi wiki wireless wishes work xinput xmpp xorg xpath
Powered by Blogger.