Bug 829118
Summary: | SELinux is preventing /usr/bin/bash from 'execute_no_trans' accesses on the file /usr/lib/virtualbox/VBoxManage. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Devon Janitz <devonjanitz> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl, nesnera | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Unspecified | ||||||
Whiteboard: | abrt_hash:a22054d42521528841bade2b8ed40720f7198f14f1b7015d71babafec69eab8f | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-06-22 09:53:56 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Devon Janitz
2012-06-06 04:04:12 UTC
This has occured again and came after today kernel upgrade from Fedora. PLease execute # restorecon -R -v /usr/lib/virtualbox/VBoxManage I did run /sbin/restorecon -v /usr/lib/virtualbox/VBoxManage from the SELinux truoble shooter and that did not work and returns the results of Traceback (most recent call last): File "/bin/sealert", line 50, in <module> from setroubleshoot.util import get_identity, load_plugins File "/usr/lib64/python2.7/site-packages/setroubleshoot/util.py", line 283, in <module> file_types = setools.seinfo(setools.ATTRIBUTE,"file_type")[0]["types"] File "/usr/lib64/python2.7/site-packages/setools/__init__.py", line 49, in seinfo dict_list = _seinfo.seinfo(setype, name) RuntimeError: No default policy found. I will try your command now and see what the results are over the next day or so. Thanks, Devon I did run the command restorecon -R -v /usr/lib/virtualbox/VBoxManage and this did not correct the error. Seems to occur at each restart. Devon Ok, what does grep -r VBoxManage /etc/selinux/targeted/contexts/ It returns the results below, and VBoxManage is highlighted in red color. /etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/virtualbox/VBoxManage -- system_u:object_r:bin_t:s0 Which looks correct. # ls -Z /usr/lib/virtualbox/VBoxManage Good day Miroslav, Results are below. Random thing this morning, the error is not occurring anymore as of this AM when I turned on my computer. Really have no idea why at this time. If this makes it a dead issue, thanks very much for your time. I know you can not fix something that is not broke. Devon [root@fisc-dcj-xpsf ~]# ls -Z /usr/lib/virtualbox/VBoxManage -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/lib/virtualbox/VBoxManage [root@fisc-dcj-xpsf ~]# Ok, reopen if this happens again. Created attachment 605546 [details]
bug report log
I have met with "SELinux is preventing /usr/bin/bash from 'execute_no_trans'.. " many times. This bug should be reopened, I think. Have a look at log file.
This is still returning on each udpate of Virtual Box. Is this a bug that should be passed to them? SELinux is preventing /usr/bin/bash from execute_no_trans access on the file /usr/lib/virtualbox/VBoxManage. ***** Plugin restorecon (93.9 confidence) suggests ************************* If you want to fix the label. /usr/lib/virtualbox/VBoxManage default label should be bin_t. Then you can run restorecon. Do # /sbin/restorecon -v /usr/lib/virtualbox/VBoxManage ***** Plugin leaks (6.10 confidence) suggests ****************************** If you want to ignore bash trying to execute_no_trans access the VBoxManage file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /usr/bin/bash /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (1.43 confidence) suggests *************************** If you believe that bash should be allowed execute_no_trans access on the VBoxManage file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:boinc_t:s0 Target Context system_u:object_r:textrel_shlib_t:s0 Target Objects /usr/lib/virtualbox/VBoxManage [ file ] Source sh Source Path /usr/bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.2.37-2.fc17.x86_64 Target RPM Packages VirtualBox-4.2-4.2.0_80737_fedora17-1.x86_64 Policy RPM selinux-policy-3.10.0-146.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux fisc-dcj-fedora 3.5.3-1.fc17.x86_64 #1 SMP Wed Aug 29 18:46:34 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen 2012-09-13 19:19:38 EDT Last Seen 2012-09-13 19:19:38 EDT Local ID 41ae567b-a967-46ac-bc35-ed9ad997186f Raw Audit Messages type=AVC msg=audit(1347578378.82:74): avc: denied { execute_no_trans } for pid=1818 comm="sh" path="/usr/lib/virtualbox/VBoxManage" dev="dm-1" ino=2763345 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:textrel_shlib_t:s0 tclass=file type=SYSCALL msg=audit(1347578378.82:74): arch=x86_64 syscall=execve success=no exit=EACCES a0=15d9160 a1=15d84c0 a2=15d8120 a3=18 items=0 ppid=1813 pid=1818 auid=4294967295 uid=992 gid=989 euid=992 suid=992 fsuid=992 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:boinc_t:s0 key=(null) Hash: sh,boinc_t,textrel_shlib_t,file,execute_no_trans audit2allow #============= boinc_t ============== allow boinc_t textrel_shlib_t:file execute_no_trans; audit2allow -R #============= boinc_t ============== allow boinc_t textrel_shlib_t:file execute_no_trans; Ok, what does # rpm -qa --scripts |grep semanage I believe the VirtualBox package adds this labeling. # rpm -qa --scripts |grep semanage # HD worked hard but empty row was result :( repoquery -i VirtualBox Name : VirtualBox Version : 4.1.18 Release : 1.fc17 Architecture: x86_64 Size : 69619314 Packager : <http://nonfree.rpmfusion.org/> Group : Development/Tools URL : http://www.virtualbox.org/wiki/VirtualBox Repository : rpmfusion-free-updates Summary : A general-purpose full virtualizer for PC hardware Source : VirtualBox-4.1.18-1.fc17.src.rpm Description : A general-purpose full virtualizer and emulator for 32-bit and 64-bit x86 based PC-compatible machines. Submitted rpm -qa --scripts |grep semanage and got no results returned. Could this be a result that I have already issued the command restorecon -R -v /usr/lib/virtualbox/VBoxManage to correct the problem again? Devon No. Strange that you you would not find one semanage command. You could also look for semodule. What does semodule -l output, looking for something referring to VirtualBox or Vbox. Output is shortened to that area. uuidd 1.0.0 varnishd 1.2.0 vbetool 1.6.0 vdagent 1.0.0 vhostmd 1.0.0 virt 1.4.2 vlock 1.0.1 vmware 2.3.1 vnstatd 1.0.0 vpn 1.14.0 w3c 1.0.0 Nothing obvious there? rpm -qf /etc/selinux/targeted/modules/active/modules/*pp | grep -v selinux-policy I entered the command above and it did not return anything. So I removed the grep portion and it returned "selinux-policy-targeted-3.10.0-146.fc17.noarch" over a hundred times I believe. What does # grep -r VBoxManage /etc/selinux/targeted/contexts I can confirm the same behaviour as in the Comment #19 # grep -r VBoxManage /etc/selinux/targeted/contexts /etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/virtualbox/VBoxManage -- system_u:object_r:bin_t:s0 (for selinux-policy.noarch 0:3.10.0-149.fc17) Ok, # restorecon -v /usr/lib/virtualbox/VBoxManage # ls -Z /usr/lib/virtualbox/VBoxManage # restorecon -v /usr/lib/virtualbox/VBoxManage <blank row> # ls -Z /usr/lib/virtualbox/VBoxManage -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/lib/virtualbox/VBoxManage Ok, it looks correct. |