Open Source Geek

OK, so Dropbox isnt 100% Open Source but Im a pragmatic kinda guy and I do love Dropbox. However it (Dropbox) doent seem to like SELinux it seems.

I know its so tempting to reach for the “turn off SELinux” switch but wait, its actually very simple to make SELinux allow Dropbox to work.

It turns out that Dropbox tries to do some naughty stuff that SELinux is there to protect us from – namely executing out of the memory buffer. This type of thing is usually done by programs trying to do malicious things on the system and happily SELinux protects us from this – but that prevents Drop from running.

How to Fix It

There is a nice and simple way to fix this and no I dont mean disable SELinux

There is a boolean that you could flip that turns off this protection – namely allow_execstack

sudo setsebool allow_execstack 1

However this is going way to far as you all now allowing any process to execute from stack, which isnt a good idea.

The best way is to tell SELinux that you just want Dropbox to be able to do this and nothing else. The way that you do this is you label the executable file, in this case /usr/bin/dropbox, as type execmem_exec_t

You can do this with a quick chcon, but thats not the best way to do it, the following two lines will fix Dropbox to work with SELinux

sudo semanage fcontext -a -t unconfined_execmem_exec_t /usr/bin/dropbox
sudo restorecon -v /usr/bin/dropbox

Now if you take a look at the SELinux contetxt of the file, you can see its got the right label

ls -lZ /usr/bin/dropbox
-rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /usr/bin/dropbox

If you spend a little time to understand the basics of SELinux (file contexts and booleans) you will find it is quite straight forward to work on a system with SELinux turned on

If you are interested in learning more about this stuff, check out the Dan Walsh blog

OSG

It NEVER ceases to amaze me that when selecting an operating system for a critically important role, that people still chose Windows. Now this isnt a rant about how Linux or BSD are better or more secure than Microsoft Windows. I mean I think its quite an easy argument but one thing that is not up for debate is that Microsoft Windows is the most targeted operating system when it comes to Malware.

So why, for the love of all things good in the world, do you chose the most targeted OS for your critical systems. Here are just three recent incidents/reports that prompted this rant

1. The investigation into the recent Spanish air crash noted that a critical ground system, that was designed to spot problems and alert people was actually switched off as it was infected with malware

http://www.technewsdaily.com/malware-implicated-in-fatal-spanair-crash-1078/

2. The latest worm currently doing the rounds and allegedly targeted at Irans Nuclear Reactor. Iran have admitted that some of their systems are indeed infected with this malware. Its a nuclear reactor for gawd sake.

http://www.computerworld.com/s/article/9188147/Iran_admits_Stuxnet_worm_infected_PCs_at_nuclear_reactor

3. My favorite though was the recent announcement about an infection in a United States military network – their worst infaction ever, was caused by an infected USB drive.

That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control.

http://www.itpro.co.uk/626428/infected-usb-caused-biggest-us-military-breach-ever

For gawd sake people, if its a critical system, dont chose the most malware targeted operating system. It makes no sense at all.

We I have just returned from my anual trip to FOSDEM, held in Brussels. FOSDEM is one of my favourite conferences, there are so many interesting tracks and the, already large, conference seems to grow bigger each year. FOSDEM is entirely free and exists on a combination of donations and sponsorship, a model which clearly seems to work.

Like all good conferences you are inevitably faced with with the problem that there are multiple talks that you would like to see but the are being held at the same time. Some of the talks inevitably make it online and this years is now exception. They are available here

Of course, like most conferences, its not all about the tech. FOSDEM is the conference where I see the most socialising. I guess the fact the Belgium has some of the finest beers in the world helps this no end

Each year I come away from FOSDEM itching to get my hands on some of technologies that I have heard about, and this year is no differnt. Spacewalk is a project Ive been interested in for about 6 months now and it seems to have had some really nice features added soon. Im just waiting for them to break the need to use Oracle before I really dive back into it. PostgreSQL is on the roadmap and should be here soon.

There was an interesting talk by Linsay Holmwood about Flapjack, Cucumber Nagios & Visage, both of which Id like to have a play with. Another very interesting talk was give by a couple of Guys from Facebook. They were talking about how they have scaled Facebook with Open Source tools and the additional tools that Facebook have created and Open Sourced. Full marks have to go to Facebook for this, nice to see a company contributing back to Open Source so much. You can go to facebook.com/opensource to find out about this.

I have also come away from FOSDEM ready to give OpsView another try, @dotwaffle extoled its virtues, so I certainly need to take a look at that. I have to say it was a real priviledge to listen to Andrew Tanembaum talk about Minix as well, I had no idea about some of the cool technologies included in it such as the reincarnation service. He was an entertaining speaker also which always helps.

I mentioned that FOSDEM seems to grow each year and take on more and more talks, inevitably this leads to some talks being put in rooms that are too small for the level of interest. I really wanted to take a look at some of the Coreboot talks but the room seemed to be at capacity right from the start. I guess I need to use those online videos I mentioned above.

Each year there also the usual swag available and this year was no different. I came away with a new TShirt and Max Spevak (Fedora Community guy) had brought over some excellent “powered by Fedora” case stickers. Spreaking of which, Max had also organised a Fedora Activity Day on the Friday afternoon, which was a nice way of starting off the weekend, a kind of pre-con. It was great to see so many Fedora Ambassadors at FOSDEM again this year.

All in all I had a great time there, a time that always seems to be over too quickly. It would be great to seem then extend the conference by a day or two. There were over 200 lectures given over the space of two short days, so Im sure there is enough content. I guess it depends if they could secure use of the University on weekdays that may be the limiting factor.

Anyway, a *very* big thanks to the organisers, the sponsors and the people who volunteer their time to make sure that the conference runs so smoothly. If you have never been to a FOSDEM, please make sure to see if you can go next February – watch the site for the exact date.

Other Conferences
While Im talking about conferences, please be sure to check out
LOAD www.loadays.org April, Antwerp BE
OGGCamp oggcamp.org March, Liverpool UK