jcm's blog

Code: http://jonmasters.org/pub/util/awayping/awayping.txt

Do you constantly get harassed on IRC with “ping?” (insert no context whatsoever here), of course you do. And then you come back later with a bunch of “ping” and no idea what the person wanted.

For those who just bought a computer ten minutes ago (I know there are still a few people out there), here’s an example of fail:

<someone> jonmasters: ping

That is utterly useless. It results in a ping/pong/ping cycle that can go on at some length, and then probably an accompanying email cycle, and maybe worse. Multiply that by a half dozen-dozen different pings and you’ve wasted a fair chunk of time just to find out what someone wants – and have no ability to prioritize or even know if the issue is still even an issue when you read a ping even a few minutes later. Here’s an example of non-fail:

<someone> jonmasters: some useful contextual message here?

I know many of you gave up even listening to these contextless “ping” messages years ago (because we’ve spoken about it at some length), or you don’t bother to leave anything connected to IRC if you’re not in front of it, or you just don’t care (hoping that people will learn how to use a computer and try again). But in case you still do care, I would like to share a plugin I wrote for ZNC called “awayping”. Away ping texts (a single line), emails you (full IRC transcripts), and tweets you (by private message) when you are detached or after a configurable idle period. It’s better than simply “autoaway”.

Awayping is getting slightly more clever over time, and the new “antiping” feature enhances awayping by also politely educating those who “ping” you (by private message) that leaving a message is infinitely more helpful later than simply 5 “ping”s on the screen. It might also encourage a few people to consider that they could send you email instead.

Here’s an example “antiping” reply:

<jonmasters> *********************************************************
<jonmasters> *** This user is marked as busy. A text message just  ***
<jonmasters> *** got sent with your 'ping'. But 'ping' alone isn't ***
<jonmasters> *** useful in a text/log message. Can you let me know ***
<jonmasters> *** what your ping was about? Your reply will be sent ***
<jonmasters> *** along so I can respond appropriately upon return. ***
<jonmasters> *********************************************************

With “awayping”, you can get email or text alerts of pending “ping” messages, and encourage people to use the internet responsibly, so you don’t have to constantly check IRC and can do something more useful instead. Because, let’s face it, they’re just going to email you anyway.

Jon.

So I’ve been writing about a couple of weeks as a user of SELinux on Fedora. I thought I’d give an update about the experience.

After a week as a user of SELinux in enforcing mode, I had learned a few things. I had learned that it isn’t always possible (without using command line utilities) to download a CD image and use it to install a virtual machine, or to use an alternate location for virtual machine images, and a number of other (minor) issues. By this, I mean that none of these things can be done trivially by end users or developers who don’t know about commands like chcon, and their use. To many end users, this simply means these (seemingly quite straightforward) activities are now “impossible”, since they simply will not properly understand why they are not working in the way they had intended. In this case the appearance of us being secure has trumped over general functionality.

Late last week, I decided to allow my laptop to apply the latest Fedora updates. I rebooted into the updated environment (new kernel image) and tried to connect to my corporate VPN using VPNC. Although it was able to connect, the connection script generated repeated errors trying to run commands like “ip” and “ifconfig”. So, I spent roughly 6 hours on Sunday night reading SELinux documentation, books, whitepapers, commands, and the Fedora SELinux “targeted” policy itself. I concluded that the update had disallowed the VPNC domain access to the sysnetwork domain in which those various networking commands exist.

Without getting into specifics too much (BZ453236 has my analysis attached), NetworkManager is able to start VPNC because it runs in a system context (which has a specific policy item to allow access to network commands), whereas regularly started tty incantations of VPNC will run unconfined. In that case, audit2allow suggested adding:

role unconfined_t types ifconfig_t

Which was actually in a pending update to the policy (it hadn’t made the changelog so I hadn’t noticed it when skimming recent koji builds). I installed the new build, and lo-and-behold my VPNC worked again. I wasn’t particularly bothered by this experience – I learned a lot about SELinux policy, the different files, and how it all goes together that I’m sure has changed since I looked at this stuff nearly a decade ago. But I’m not blogging about this because of me, I’m thinking about the end-user experience. The user facing this problem might have filled a Bugzilla, and they might even have realized this was due to SELinux (no AVC denial messages given) and tried fixing the problem for themself. But they probably instead decided that something was broken with Fedora and just went away frustrated. Security trumped over functionality of a generic laptop system.

All I can do is hope that, in time, the community will realize the many uses that SELinux has, and the many that it does not. It’s great if you work for the NSA, have lots of servers to protect from the Interwebulous Tubes of the Internet, or are just a paranoid type. In those cases, SELinux has many advantages – especially if you’re running a timesharing system and distrust all of your users, to varying or equal amounts. This is one of many compelling justifications for SELinux to exist in Enterprise Linux products, and as an optional installation item on various other spins of Fedora – for example, for server targets. These are also good reasons to offer end users the option of turning on SELinux, if they desire.

But for the average Desktop user (you know, the type that we, as a community occasionally like to encourage…) SELinux often ostensibly gets in their way. You don’t have to choose to believe this if you don’t want to, but it can’t be managed graphically (that’s where most people will give up), the policy is highly complex (I’ve read bits of it), and what exactly does the average laptop user sitting behind a firewall with only a few non-external-facing Desktop applications need it for anyway? To protect them from themself? In case the guy in Starbucks is a l33t h4×0r? To protect them from a relatively minor subset of possible security attack vectors unlikely to be used against them at home? I’m still waiting to be convinced that it should *always* be on by default.

As a final note, remember that I’m not criticizing the Fedora community, SELinux developers, or other individuals. I’m saying that the end user experience is lacking in a few fixable ways. Mainly by bringing back an obvious option during installation that explains why Fedora offers this feature, and gives users who don’t want it a choice of turning it off.

Jon.

So today, I allowed my laptop to upgrade to the latest F9 packages. Shortly afterward, VPNC could no longer run its connection script to connect to my corporate VPN connection.

I looked for an AVC denial message in my GNOME notification area (it was only later that I’d be paranoid and check that the sealert and friends were actually being allowed to run, which they were), but there was none. And none of the system logs readily showed any SELinux problem, so I decided it wasn’t time to Just Blame SELinux. A half hour of hacking at the VPNC script later, and getting confused why the commands within that script would run via sudo but didn’t seem to be running when called by VPNC, and I had myself an answer. Obviously it must be SELinux at fault, somehow, somewhere, sometime.

Calling setenforce 0 before running VPNC results in no errors and the VPN comes up just fine, whereas turning SELinux back on immediately results in a failure to run the connection script. The RPM itself reports context information that is consistent with that on the actual files, and again, there are no denial messages being reported – running sealert manually would seem to confirm this, and there are no messages in obvious log files. So it comes down to this: something is broken in F9, I can’t yet determine where it is, but a simple update has resulted in SELinux causing yet more pain that it’s ever possibly worth.

I’ve almost learned my lesson. I listened to certain people when they suggested that using SELinux was a great idea, and that doing this on F9 is super cool because it wouldn’t get in the way, and that it’s all great because we can protect ourselves from ourselves and our own evil actions. But all these people have forgotten one minor point – SELinux policy is so complex and/that we get these random failures. This is a highly undesirable user experience for a desktop. I’m about ready, once again, to hurtle SELinux out of the window as far as humanly possible. Way too overly intrusive to be actually useful.

Yes, I’m sure there’s a BZ somewhere, and I could just wait for another set of package updates that I’m sure will resynchronize policy with package, but let’s please notice that in the meantime, Joe User has long since given up and gone out to play with Little Billy and his friends. I’m trying to write these entries here to convey the undesirable user experience, and not whether I personally know enough to work around it. The average Fedora/Linux user doesn’t have 14 years of experience at dealing with this kind of thing.

Time for some (decaf) coffee.

Jon.