Open Source Geek

OK, so Dropbox isnt 100% Open Source but Im a pragmatic kinda guy and I do love Dropbox. However it (Dropbox) doent seem to like SELinux it seems.

I know its so tempting to reach for the “turn off SELinux” switch but wait, its actually very simple to make SELinux allow Dropbox to work.

It turns out that Dropbox tries to do some naughty stuff that SELinux is there to protect us from – namely executing out of the memory buffer. This type of thing is usually done by programs trying to do malicious things on the system and happily SELinux protects us from this – but that prevents Drop from running.

How to Fix It

There is a nice and simple way to fix this and no I dont mean disable SELinux

There is a boolean that you could flip that turns off this protection – namely allow_execstack

sudo setsebool allow_execstack 1

However this is going way to far as you all now allowing any process to execute from stack, which isnt a good idea.

The best way is to tell SELinux that you just want Dropbox to be able to do this and nothing else. The way that you do this is you label the executable file, in this case /usr/bin/dropbox, as type execmem_exec_t

You can do this with a quick chcon, but thats not the best way to do it, the following two lines will fix Dropbox to work with SELinux

sudo semanage fcontext -a -t unconfined_execmem_exec_t /usr/bin/dropbox
sudo restorecon -v /usr/bin/dropbox

Now if you take a look at the SELinux contetxt of the file, you can see its got the right label

ls -lZ /usr/bin/dropbox
-rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /usr/bin/dropbox

If you spend a little time to understand the basics of SELinux (file contexts and booleans) you will find it is quite straight forward to work on a system with SELinux turned on

If you are interested in learning more about this stuff, check out the Dan Walsh blog

OSG

It NEVER ceases to amaze me that when selecting an operating system for a critically important role, that people still chose Windows. Now this isnt a rant about how Linux or BSD are better or more secure than Microsoft Windows. I mean I think its quite an easy argument but one thing that is not up for debate is that Microsoft Windows is the most targeted operating system when it comes to Malware.

So why, for the love of all things good in the world, do you chose the most targeted OS for your critical systems. Here are just three recent incidents/reports that prompted this rant

1. The investigation into the recent Spanish air crash noted that a critical ground system, that was designed to spot problems and alert people was actually switched off as it was infected with malware

http://www.technewsdaily.com/malware-implicated-in-fatal-spanair-crash-1078/

2. The latest worm currently doing the rounds and allegedly targeted at Irans Nuclear Reactor. Iran have admitted that some of their systems are indeed infected with this malware. Its a nuclear reactor for gawd sake.

http://www.computerworld.com/s/article/9188147/Iran_admits_Stuxnet_worm_infected_PCs_at_nuclear_reactor

3. My favorite though was the recent announcement about an infection in a United States military network – their worst infaction ever, was caused by an infected USB drive.

That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control.

http://www.itpro.co.uk/626428/infected-usb-caused-biggest-us-military-breach-ever

For gawd sake people, if its a critical system, dont chose the most malware targeted operating system. It makes no sense at all.

Was it me? I dont know, I was loyal, but they left me anyway – well thats how it feels

Long Time Fan
Ive been a long time (read 2000/2001) fan of VMware – they were the first and, you could argue, still are the best in their space. Im a Linux fan, have been for a while and one of the reasons that I liked VMware was because the software I bought from them (yes I paid for Workstation and upgrades) was available for my OS of choice. Whats more they took the time to make sure that the windows worked with GTK2 looks. This to me meant that they liked their Linux users, they gave a crap about us.

I was so disappointed when I moved my home server from VMware Server 1 to VMware server 2 as the Linux client had gone. At least its been replaced with a web interface, that seems like a good idea – then all operating systems can manage the server. The interface came in for some criticism but it did everything I needed it to for the most part and I could manage my home VM server while out and about.

Times change and VMWare came out with their free version of ESX – namely ESXi. Now while ESX also had a decent web interface, ESXi did not. Your only choice of a graphical interface now meant you had to run Windows. So I stayed with Server 2.0

Recently I became aware of “VMWare Go” which was a “new web interface of ESXi users”. Yay I thought, good times! Alas no, when I went to log in I was prompted with a message that said “Your broswer must be at least Firefox 3 or higher, or IE v7 or v8 to use this site”. Thats odd I thought as I am running 3.5.5. What I very quickly realised is that this wasn’t to do with browser, it was to do with OS. I tried the site from my dual boot laptop (the only place I have Windows left these days) and I was able to get in with Firefox 3.5.5 on Windows but running the wizard prompts you to download components like the .net framework and other such single platform technology. How utterly disappointing

End of the Road
What did we do VMware? Why did you abandon us? Well anyway, I guess its the end of the road then old friend. Be happy.

Im off to migrate my stuff to Xen or KVM. Im not sure which yet, Xen has Amazon using it and Citrix seem committed to open source. In fact Ian Pratt was on FLOSS Weekly earlier in the year, so they seem to have the right mindset. On the other hand the Redhat road map points to KVM.

Anyway, watch this space. Im going to take my time to decide which to chose – i am on the rebound after all

OSG