Bug 829118
| Summary: | SELinux is preventing /usr/bin/bash from 'execute_no_trans' accesses on the file /usr/lib/virtualbox/VBoxManage. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Devon Janitz <devonjanitz> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl, nesnera | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | abrt_hash:a22054d42521528841bade2b8ed40720f7198f14f1b7015d71babafec69eab8f | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-06-22 09:53:56 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
This has occured again and came after today kernel upgrade from Fedora. PLease execute # restorecon -R -v /usr/lib/virtualbox/VBoxManage I did run /sbin/restorecon -v /usr/lib/virtualbox/VBoxManage from the SELinux truoble shooter and that did not work and returns the results of
Traceback (most recent call last):
File "/bin/sealert", line 50, in <module>
from setroubleshoot.util import get_identity, load_plugins
File "/usr/lib64/python2.7/site-packages/setroubleshoot/util.py", line 283, in <module>
file_types = setools.seinfo(setools.ATTRIBUTE,"file_type")[0]["types"]
File "/usr/lib64/python2.7/site-packages/setools/__init__.py", line 49, in seinfo
dict_list = _seinfo.seinfo(setype, name)
RuntimeError: No default policy found.
I will try your command now and see what the results are over the next day or so.
Thanks, Devon
I did run the command restorecon -R -v /usr/lib/virtualbox/VBoxManage and this did not correct the error. Seems to occur at each restart. Devon Ok, what does grep -r VBoxManage /etc/selinux/targeted/contexts/ It returns the results below, and VBoxManage is highlighted in red color. /etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/virtualbox/VBoxManage -- system_u:object_r:bin_t:s0 Which looks correct. # ls -Z /usr/lib/virtualbox/VBoxManage Good day Miroslav, Results are below. Random thing this morning, the error is not occurring anymore as of this AM when I turned on my computer. Really have no idea why at this time. If this makes it a dead issue, thanks very much for your time. I know you can not fix something that is not broke. Devon [root@fisc-dcj-xpsf ~]# ls -Z /usr/lib/virtualbox/VBoxManage -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/lib/virtualbox/VBoxManage [root@fisc-dcj-xpsf ~]# Ok, reopen if this happens again. Created attachment 605546 [details]
bug report log
I have met with "SELinux is preventing /usr/bin/bash from 'execute_no_trans'.. " many times. This bug should be reopened, I think. Have a look at log file.
This is still returning on each udpate of Virtual Box. Is this a bug that should be passed to them?
SELinux is preventing /usr/bin/bash from execute_no_trans access on the file /usr/lib/virtualbox/VBoxManage.
***** Plugin restorecon (93.9 confidence) suggests *************************
If you want to fix the label.
/usr/lib/virtualbox/VBoxManage default label should be bin_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /usr/lib/virtualbox/VBoxManage
***** Plugin leaks (6.10 confidence) suggests ******************************
If you want to ignore bash trying to execute_no_trans access the VBoxManage file, because you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/bin/bash /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp
***** Plugin catchall (1.43 confidence) suggests ***************************
If you believe that bash should be allowed execute_no_trans access on the VBoxManage file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:boinc_t:s0
Target Context system_u:object_r:textrel_shlib_t:s0
Target Objects /usr/lib/virtualbox/VBoxManage [ file ]
Source sh
Source Path /usr/bin/bash
Port <Unknown>
Host (removed)
Source RPM Packages bash-4.2.37-2.fc17.x86_64
Target RPM Packages VirtualBox-4.2-4.2.0_80737_fedora17-1.x86_64
Policy RPM selinux-policy-3.10.0-146.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux fisc-dcj-fedora 3.5.3-1.fc17.x86_64 #1 SMP
Wed Aug 29 18:46:34 UTC 2012 x86_64 x86_64
Alert Count 1
First Seen 2012-09-13 19:19:38 EDT
Last Seen 2012-09-13 19:19:38 EDT
Local ID 41ae567b-a967-46ac-bc35-ed9ad997186f
Raw Audit Messages
type=AVC msg=audit(1347578378.82:74): avc: denied { execute_no_trans } for pid=1818 comm="sh" path="/usr/lib/virtualbox/VBoxManage" dev="dm-1" ino=2763345 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:textrel_shlib_t:s0 tclass=file
type=SYSCALL msg=audit(1347578378.82:74): arch=x86_64 syscall=execve success=no exit=EACCES a0=15d9160 a1=15d84c0 a2=15d8120 a3=18 items=0 ppid=1813 pid=1818 auid=4294967295 uid=992 gid=989 euid=992 suid=992 fsuid=992 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:boinc_t:s0 key=(null)
Hash: sh,boinc_t,textrel_shlib_t,file,execute_no_trans
audit2allow
#============= boinc_t ==============
allow boinc_t textrel_shlib_t:file execute_no_trans;
audit2allow -R
#============= boinc_t ==============
allow boinc_t textrel_shlib_t:file execute_no_trans;
Ok, what does # rpm -qa --scripts |grep semanage I believe the VirtualBox package adds this labeling. # rpm -qa --scripts |grep semanage # HD worked hard but empty row was result :( repoquery -i VirtualBox Name : VirtualBox Version : 4.1.18 Release : 1.fc17 Architecture: x86_64 Size : 69619314 Packager : <http://nonfree.rpmfusion.org/> Group : Development/Tools URL : http://www.virtualbox.org/wiki/VirtualBox Repository : rpmfusion-free-updates Summary : A general-purpose full virtualizer for PC hardware Source : VirtualBox-4.1.18-1.fc17.src.rpm Description : A general-purpose full virtualizer and emulator for 32-bit and 64-bit x86 based PC-compatible machines. Submitted rpm -qa --scripts |grep semanage and got no results returned. Could this be a result that I have already issued the command restorecon -R -v /usr/lib/virtualbox/VBoxManage to correct the problem again? Devon No. Strange that you you would not find one semanage command. You could also look for semodule. What does semodule -l output, looking for something referring to VirtualBox or Vbox. Output is shortened to that area. uuidd 1.0.0 varnishd 1.2.0 vbetool 1.6.0 vdagent 1.0.0 vhostmd 1.0.0 virt 1.4.2 vlock 1.0.1 vmware 2.3.1 vnstatd 1.0.0 vpn 1.14.0 w3c 1.0.0 Nothing obvious there? rpm -qf /etc/selinux/targeted/modules/active/modules/*pp | grep -v selinux-policy I entered the command above and it did not return anything. So I removed the grep portion and it returned "selinux-policy-targeted-3.10.0-146.fc17.noarch" over a hundred times I believe. What does # grep -r VBoxManage /etc/selinux/targeted/contexts I can confirm the same behaviour as in the Comment #19 # grep -r VBoxManage /etc/selinux/targeted/contexts /etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/virtualbox/VBoxManage -- system_u:object_r:bin_t:s0 (for selinux-policy.noarch 0:3.10.0-149.fc17) Ok, # restorecon -v /usr/lib/virtualbox/VBoxManage # ls -Z /usr/lib/virtualbox/VBoxManage # restorecon -v /usr/lib/virtualbox/VBoxManage <blank row> # ls -Z /usr/lib/virtualbox/VBoxManage -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/lib/virtualbox/VBoxManage Ok, it looks correct. |
libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.7-1.fc17.x86_64 time: Wed 06 Jun 2012 12:03:55 AM EDT description: :SELinux is preventing /usr/bin/bash from 'execute_no_trans' accesses on the file /usr/lib/virtualbox/VBoxManage. : :***** Plugin restorecon (93.9 confidence) suggests ************************* : :If you want to fix the label. :/usr/lib/virtualbox/VBoxManage default label should be bin_t. :Then you can run restorecon. :Do :# /sbin/restorecon -v /usr/lib/virtualbox/VBoxManage : :***** Plugin leaks (6.10 confidence) suggests ****************************** : :If you want to ignore bash trying to execute_no_trans access the VBoxManage file, because you believe it should not need this access. :Then you should report this as a bug. :You can generate a local policy module to dontaudit this access. :Do :# grep /usr/bin/bash /var/log/audit/audit.log | audit2allow -D -M mypol :# semodule -i mypol.pp : :***** Plugin catchall (1.43 confidence) suggests *************************** : :If you believe that bash should be allowed execute_no_trans access on the VBoxManage file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep sh /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:boinc_t:s0 :Target Context system_u:object_r:textrel_shlib_t:s0 :Target Objects /usr/lib/virtualbox/VBoxManage [ file ] :Source sh :Source Path /usr/bin/bash :Port <Unknown> :Host (removed) :Source RPM Packages bash-4.2.28-1.fc17.x86_64 :Target RPM Packages VirtualBox-4.1-4.1.16_78094_fedora17-1.x86_64 :Policy RPM selinux-policy-3.10.0-128.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.7-1.fc17.x86_64 #1 SMP Mon : May 21 22:32:19 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen Wed 06 Jun 2012 12:01:55 AM EDT :Last Seen Wed 06 Jun 2012 12:01:55 AM EDT :Local ID 68b1d800-8534-4ed6-b592-b0a46b8d53ec : :Raw Audit Messages :type=AVC msg=audit(1338955315.409:103): avc: denied { execute_no_trans } for pid=2719 comm="sh" path="/usr/lib/virtualbox/VBoxManage" dev="dm-1" ino=3158964 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:textrel_shlib_t:s0 tclass=file : : :type=SYSCALL msg=audit(1338955315.409:103): arch=x86_64 syscall=execve success=no exit=EACCES a0=95f180 a1=95f0d0 a2=95e100 a3=18 items=0 ppid=2714 pid=2719 auid=4294967295 uid=992 gid=989 euid=992 suid=992 fsuid=992 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:boinc_t:s0 key=(null) : :Hash: sh,boinc_t,textrel_shlib_t,file,execute_no_trans : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :