Re: Google Chrome generates many audit type 1326 messages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 2016-12-29 at 09:42 -0800, Rick Stevens wrote:
> On 12/29/2016 04:03 AM, Patrick O'Callaghan wrote:
> > On Thu, 2016-12-29 at 01:52 +0200, Alchemist wrote:
> > > 2016-12-28 14:44 GMT+02:00 Patrick O'Callaghan <pocallaghan@xxxxxxxxx>:
> > > 
> > > > On Tue, 2016-12-27 at 21:17 +0200, Alchemist wrote:
> > > > > 2016-12-27 21:00 GMT+02:00 Patrick O'Callaghan <pocallaghan@xxxxxxxxx>:
> > > > > 
> > > > > > On Tue, 2016-12-27 at 08:48 -0500, Tom Horsley wrote:
> > > > > > > On Tue, 27 Dec 2016 13:35:09 +0000
> > > > > > > Patrick O'Callaghan wrote:
> > > > > > > 
> > > > > > > > b) can be turned off?
> > > > > > > 
> > > > > > > Edit grub.cfg and put audit=0 on the kernel command line.
> > > > > > > Disable the auditd service.
> > > > > > > No more audit messages from anything :-).
> > > > > > 
> > > > > > Wasn't really the question. I want to know what it's telling me before
> > > > > > I decide whether to turn it off.
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > 
> > > > > http://billauer.co.il/blog/2015/08/linux-google-chrome-aw-snap-seccomp/
> > > > 
> > > > Thanks, I had used ausearch to confirm these are SECCOMP errors, i.e.
> > > > problems with Chrome sandboxing (which apparently have been around for
> > > > a long time). However the URL above recommends just running Chrome
> > > > without the sandbox, which a) isn't a solution and b) is no longer
> > > > supported.
> > > > 
> > > > Now that I know what it is, I can just ignore the audit errors.
> > > > 
> > > > 
> > > 
> > > Yes, or you may add something like
> > > 
> > > -a exclude,always -F msgtype=1326
> > > or
> > > -a exclude,always -F exe=/opt/google/chrome/chrome
> > > 
> > > to /etc/audit/audit.rules
> > > systemctl restart auditd
> > 
> > systemctl doesn't work for this. You have to run "service restart auditd"
> > 
> > > see man auditctl
> > > 
> > > Because depending on Your Chrome usage, it could flood logs and make
> > > difficult to search something truly important.
> > 
> > I've tried the second version (excluding the executable) but I'm still getting floods of audit messages:
> > 
> > $ sudo auditctl exclude exe="/opt/google/chrome/chrome"
> > $ journal -e
> > Dec 29 11:53:42 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6
> > 
> > Dec 29 11:53:42 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6
> > 
> > Dec 29 11:53:51 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6
> > 
> > Dec 29 11:53:51 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6
> > 
> > Dec 29 11:54:00 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6
> > 
> > Dec 29 11:54:00 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6
> > 
> > Dec 29 11:54:09 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6
> > 
> > Dec 29 11:54:09 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6
> > 
> > Dec 29 11:54:20 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6
> > 
> > Dec 29 11:54:20 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6
> > 
> > Dec 29 11:54:27 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6
> > 
> > Dec 29 11:54:27 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6
> > 
> > Dec 29 11:54:39 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6
> > 
> > etc. etc.
> > 
> > The audit documentation is not helpful. Any ideas?
> 
> Have you tried
> 
> 	# semanage boolean --on unconfined_chrome_sandbox_transition
> 
> which "allows unconfined to chrome sandbox transition". I have it set on
> my machine and I don't get those alerts. YMMV

Doesn't explain why the auditctl line doesn't work but I'll give it a go anyway.

So where is semanage? Turns out it's hidden in policycoreutils-python-
utils (bash found it where I couldn't). It's certainly well hidden.

So:
# semanage boolean --on unconfined_chrome_sandbox_transition

Usage: semanage boolean [-h] [-n] [-N] [-S STORE] [  --extract  | --deleteall  | --list -C | --modify ( --on | --off ) boolean ]

Also:
# semanage boolean -l|grep unconfined_chrome_sandbox_transition

unconfined_chrome_sandbox_transition (on   ,   on)  Allow unconfined to chrome sandbox transition

Which seems to indicate that the boolean is already set, but the audit flood continues.

poc
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]
  Powered by Linux