On 12/29/2016 10:03 AM, Patrick O'Callaghan wrote: > On Thu, 2016-12-29 at 09:42 -0800, Rick Stevens wrote: >> On 12/29/2016 04:03 AM, Patrick O'Callaghan wrote: >>> On Thu, 2016-12-29 at 01:52 +0200, Alchemist wrote: >>>> 2016-12-28 14:44 GMT+02:00 Patrick O'Callaghan <pocallaghan@xxxxxxxxx>: >>>> >>>>> On Tue, 2016-12-27 at 21:17 +0200, Alchemist wrote: >>>>>> 2016-12-27 21:00 GMT+02:00 Patrick O'Callaghan <pocallaghan@xxxxxxxxx>: >>>>>> >>>>>>> On Tue, 2016-12-27 at 08:48 -0500, Tom Horsley wrote: >>>>>>>> On Tue, 27 Dec 2016 13:35:09 +0000 >>>>>>>> Patrick O'Callaghan wrote: >>>>>>>> >>>>>>>>> b) can be turned off? >>>>>>>> >>>>>>>> Edit grub.cfg and put audit=0 on the kernel command line. >>>>>>>> Disable the auditd service. >>>>>>>> No more audit messages from anything :-). >>>>>>> >>>>>>> Wasn't really the question. I want to know what it's telling me before >>>>>>> I decide whether to turn it off. >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> http://billauer.co.il/blog/2015/08/linux-google-chrome-aw-snap-seccomp/ >>>>> >>>>> Thanks, I had used ausearch to confirm these are SECCOMP errors, i.e. >>>>> problems with Chrome sandboxing (which apparently have been around for >>>>> a long time). However the URL above recommends just running Chrome >>>>> without the sandbox, which a) isn't a solution and b) is no longer >>>>> supported. >>>>> >>>>> Now that I know what it is, I can just ignore the audit errors. >>>>> >>>>> >>>> >>>> Yes, or you may add something like >>>> >>>> -a exclude,always -F msgtype=1326 >>>> or >>>> -a exclude,always -F exe=/opt/google/chrome/chrome >>>> >>>> to /etc/audit/audit.rules >>>> systemctl restart auditd >>> >>> systemctl doesn't work for this. You have to run "service restart auditd" >>> >>>> see man auditctl >>>> >>>> Because depending on Your Chrome usage, it could flood logs and make >>>> difficult to search something truly important. >>> >>> I've tried the second version (excluding the executable) but I'm still getting floods of audit messages: >>> >>> $ sudo auditctl exclude exe="/opt/google/chrome/chrome" >>> $ journal -e >>> Dec 29 11:53:42 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6 >>> >>> Dec 29 11:53:42 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6 >>> >>> Dec 29 11:53:51 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6 >>> >>> Dec 29 11:53:51 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6 >>> >>> Dec 29 11:54:00 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6 >>> >>> Dec 29 11:54:00 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6 >>> >>> Dec 29 11:54:09 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6 >>> >>> Dec 29 11:54:09 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6 >>> >>> Dec 29 11:54:20 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6 >>> >>> Dec 29 11:54:20 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6 >>> >>> Dec 29 11:54:27 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6 >>> >>> Dec 29 11:54:27 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6 >>> >>> Dec 29 11:54:39 bree audit[4208]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4208 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f6 >>> >>> etc. etc. >>> >>> The audit documentation is not helpful. Any ideas? >> >> Have you tried >> >> # semanage boolean --on unconfined_chrome_sandbox_transition >> >> which "allows unconfined to chrome sandbox transition". I have it set on >> my machine and I don't get those alerts. YMMV > > Doesn't explain why the auditctl line doesn't work but I'll give it a go anyway. > > So where is semanage? Turns out it's hidden in policycoreutils-python- > utils (bash found it where I couldn't). It's certainly well hidden. > > So: > # semanage boolean --on unconfined_chrome_sandbox_transition > > Usage: semanage boolean [-h] [-n] [-N] [-S STORE] [ --extract | --deleteall | --list -C | --modify ( --on | --off ) boolean ] > > Also: > # semanage boolean -l|grep unconfined_chrome_sandbox_transition > > unconfined_chrome_sandbox_transition (on , on) Allow unconfined to chrome sandbox transition > > Which seems to indicate that the boolean is already set, but the audit flood continues. Ok, yeah, that's what I've got. As to the auditctl line, the "exe=" clause can only be used on the "exit" list. I think what you want is: sudo auditctl -a exit,never -F exe=/opt/google/chrome/chrome e.g. "append a rule to the exit list so that it never generates an audit record for that executable". ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - "I was contemplating the immortal words of Socrates when he said, - - 'I drank WHAT?'" -- Val Kilmer in "Real Genius" - ---------------------------------------------------------------------- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
