Bug 966544
Summary: | SELinux is preventing /usr/bin/bash from 'create' accesses on the file vboxadd-service. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Moez Roy <moez.roy> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 18 | CC: | dominick.grift, dwalsh, mgrepl, moez.roy | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Unspecified | ||||||
Whiteboard: | abrt_hash:90e0549baa6f7a3ff653e2dce92be5c1b3da2dda6bbfb9661b88bb26d93bc918 | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-02-05 23:10:07 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Moez Roy
2013-05-23 12:59:10 UTC
We will need to create a policy for vboxadd-service. quickbooks.office have you disabled unconfined module? (In reply to Daniel Walsh from comment #2) > quickbooks.office have you disabled unconfined module? Yes I did: sudo semodule -d unconfined This is inside a Fedora 18 guest which has VirtualBox Guest Additions installed. *** Bug 967645 has been marked as a duplicate of this bug. *** *** Bug 968171 has been marked as a duplicate of this bug. *** *** Bug 968170 has been marked as a duplicate of this bug. *** *** Bug 969711 has been marked as a duplicate of this bug. *** Created attachment 756469 [details]
vboxadd initial policy
Could you please download the archive, unpack it and run
# sh vboxadd.sh
re-test it and run
# id -Z
# ausearch -m avc -ts recent
*** Bug 969729 has been marked as a duplicate of this bug. *** *** Bug 969730 has been marked as a duplicate of this bug. *** [user@localhost ~]$ cd Down* [user@localhost Downloads]$ sudo sh vboxadd.sh [sudo] password for user: Building and Loading Policy + make -f /usr/share/selinux/devel/Makefile vboxadd.pp Compiling targeted vboxadd module /usr/bin/checkmodule: loading policy configuration from tmp/vboxadd.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 15) to tmp/vboxadd.mod Creating targeted vboxadd.pp policy package rm tmp/vboxadd.mod tmp/vboxadd.mod.fc + /usr/sbin/semodule -i vboxadd.pp + sepolicy manpage -p . -d vboxadd_t ./vboxadd_selinux.8 ++ pwd + pwd=/home/user/Downloads + rpmbuild --define '_sourcedir /home/user/Downloads' --define '_specdir /home/user/Downloads' --define '_builddir /home/user/Downloads' --define '_srcrpmdir /home/user/Downloads' --define '_rpmdir /home/user/Downloads' --define '_buildrootdir /home/user/Downloads/.build' -ba vboxadd_selinux.spec vboxadd.sh: line 51: rpmbuild: command not found + /sbin/restorecon -F -R -v /usr/bin/VBoxService /sbin/restorecon: lstat(/usr/bin/VBoxService) failed: No such file or directory + /sbin/restorecon -F -R -v /usr/lib/systemd/system/vboxservice.service /sbin/restorecon: lstat(/usr/lib/systemd/system/vboxservice.service) failed: No such file or directory [user@localhost Downloads]$ [user@localhost ~]$ sudo id -Z [sudo] password for user: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [user@localhost ~]$ sudo ausearch -m avc -ts recent ---- time->Mon Jun 3 18:21:25 2013 type=SYSCALL msg=audit(1370308885.392:370): arch=c000003e syscall=87 success=no exit=-13 a0=7fff508c4ecd a1=7fff508c4ecd a2=7fff508c3740 a3=7fff508c34b0 items=0 ppid=3032 pid=3042 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308885.392:370): avc: denied { write } for pid=3042 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:21:25 2013 type=SYSCALL msg=audit(1370308885.395:371): arch=c000003e syscall=87 success=no exit=-13 a0=7fffa1d7cecc a1=7fffa1d7cecc a2=7fffa1d7b780 a3=7fffa1d7b4f0 items=0 ppid=3032 pid=3043 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308885.395:371): avc: denied { write } for pid=3043 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:21:26 2013 type=SYSCALL msg=audit(1370308886.717:374): arch=c000003e syscall=87 success=no exit=-13 a0=7fffc4910ecd a1=7fffc4910ecd a2=7fffc4910770 a3=7fffc49104e0 items=0 ppid=3079 pid=3089 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308886.717:374): avc: denied { write } for pid=3089 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:21:26 2013 type=SYSCALL msg=audit(1370308886.721:375): arch=c000003e syscall=87 success=no exit=-13 a0=7ffff7d64ecc a1=7ffff7d64ecc a2=7ffff7d638a0 a3=7ffff7d63610 items=0 ppid=3079 pid=3090 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308886.721:375): avc: denied { write } for pid=3090 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:21:26 2013 type=SYSCALL msg=audit(1370308886.991:378): arch=c000003e syscall=87 success=no exit=-13 a0=7fffbbe99ecd a1=7fffbbe99ecd a2=7fffbbe98340 a3=7fffbbe980b0 items=0 ppid=3186 pid=3196 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308886.991:378): avc: denied { write } for pid=3196 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:21:26 2013 type=SYSCALL msg=audit(1370308886.993:379): arch=c000003e syscall=87 success=no exit=-13 a0=7fff768f1ecc a1=7fff768f1ecc a2=7fff768f1630 a3=7fff768f13a0 items=0 ppid=3186 pid=3197 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308886.993:379): avc: denied { write } for pid=3197 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:21:30 2013 type=SYSCALL msg=audit(1370308890.044:381): arch=c000003e syscall=87 success=no exit=-13 a0=7fffd9676ecc a1=7fffd9676ecc a2=7fffd96749f0 a3=7fffd9674760 items=0 ppid=3429 pid=3440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308890.044:381): avc: denied { write } for pid=3440 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:21:30 2013 type=SYSCALL msg=audit(1370308890.136:382): arch=c000003e syscall=87 success=no exit=-13 a0=7fff6c6abecd a1=7fff6c6abecd a2=7fff6c6aa710 a3=7fff6c6aa480 items=0 ppid=3457 pid=3467 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308890.136:382): avc: denied { write } for pid=3467 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:21:30 2013 type=SYSCALL msg=audit(1370308890.141:383): arch=c000003e syscall=87 success=no exit=-13 a0=7fff7e398ecc a1=7fff7e398ecc a2=7fff7e397110 a3=7fff7e396e80 items=0 ppid=3457 pid=3469 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308890.141:383): avc: denied { write } for pid=3469 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:21:30 2013 type=SYSCALL msg=audit(1370308890.040:380): arch=c000003e syscall=87 success=no exit=-13 a0=7fffd6072ecd a1=7fffd6072ecd a2=7fffd6071090 a3=7fffd6070e00 items=0 ppid=3429 pid=3439 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308890.040:380): avc: denied { write } for pid=3439 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:22:10 2013 type=SYSCALL msg=audit(1370308930.530:389): arch=c000003e syscall=87 success=no exit=-13 a0=7fffbf5a9ecd a1=7fffbf5a9ecd a2=7fffbf5a8040 a3=7fffbf5a7db0 items=0 ppid=5367 pid=5377 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308930.530:389): avc: denied { write } for pid=5377 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:22:10 2013 type=SYSCALL msg=audit(1370308930.534:390): arch=c000003e syscall=87 success=no exit=-13 a0=7fff044c2ecc a1=7fff044c2ecc a2=7fff044c0d00 a3=7fff044c0a70 items=0 ppid=5367 pid=5378 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308930.534:390): avc: denied { write } for pid=5378 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:22:10 2013 type=SYSCALL msg=audit(1370308930.605:391): arch=c000003e syscall=87 success=no exit=-13 a0=7fffb4cd3ecd a1=7fffb4cd3ecd a2=7fffb4cd1e80 a3=7fffb4cd1bf0 items=0 ppid=5389 pid=5399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308930.605:391): avc: denied { write } for pid=5399 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:22:10 2013 type=SYSCALL msg=audit(1370308930.607:392): arch=c000003e syscall=87 success=no exit=-13 a0=7fff3feffecc a1=7fff3feffecc a2=7fff3feff090 a3=7fff3fefee00 items=0 ppid=5389 pid=5400 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308930.607:392): avc: denied { write } for pid=5400 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:22:10 2013 type=SYSCALL msg=audit(1370308930.694:393): arch=c000003e syscall=165 success=no exit=-13 a0=0 a1=7f520fcacaf0 a2=4586fb a3=4 items=0 ppid=1 pid=5431 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="automount" exe="/opt/VBoxGuestAdditions-4.2.51/sbin/VBoxService" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308930.694:393): avc: denied { mounton } for pid=5431 comm="automount" path="/media/sf_IsolatedV19" dev="sda2" ino=133012 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir ---- time->Mon Jun 3 18:22:10 2013 type=SYSCALL msg=audit(1370308930.710:394): arch=c000003e syscall=2 success=no exit=-13 a0=b5a170 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=5415 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="vboxadd-service" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1370308930.710:394): avc: denied { create } for pid=5415 comm="vboxadd-service" name="vboxadd-service" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file ---- time->Mon Jun 3 18:22:10 2013 type=SYSCALL msg=audit(1370308930.770:396): arch=c000003e syscall=87 success=no exit=-13 a0=7fffe11c4ecd a1=7fffe11c4ecd a2=7fffe11c2e00 a3=7fffe11c2b70 items=0 ppid=5446 pid=5456 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308930.770:396): avc: denied { write } for pid=5456 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:22:10 2013 type=SYSCALL msg=audit(1370308930.772:397): arch=c000003e syscall=87 success=no exit=-13 a0=7fff10561ecc a1=7fff10561ecc a2=7fff10561360 a3=7fff105610d0 items=0 ppid=5446 pid=5457 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308930.772:397): avc: denied { write } for pid=5457 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:22:10 2013 type=SYSCALL msg=audit(1370308930.832:398): arch=c000003e syscall=87 success=no exit=-13 a0=7fff2d864ecd a1=7fff2d864ecd a2=7fff2d8632a0 a3=7fff2d863010 items=0 ppid=5466 pid=5476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308930.832:398): avc: denied { write } for pid=5476 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir ---- time->Mon Jun 3 18:22:10 2013 type=SYSCALL msg=audit(1370308930.833:399): arch=c000003e syscall=87 success=no exit=-13 a0=7fff3ed30ecc a1=7fff3ed30ecc a2=7fff3ed2fd20 a3=7fff3ed2fa90 items=0 ppid=5466 pid=5477 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1370308930.833:399): avc: denied { write } for pid=5477 comm="ln" name="anaconda.target.wants" dev="sda2" ino=270171 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir [user@localhost ~]$ http://www.virtualbox.org/download/testcase/VirtualBox-4.2.51-86055-Linux_amd64.run can you put the vboxadd initial policy into selinux-policy fc18 & fc19. thanks the above url is now 404 The problem is + /sbin/restorecon -F -R -v /usr/bin/VBoxService /sbin/restorecon: lstat(/usr/bin/VBoxService) failed: No such file or directory + /sbin/restorecon -F -R -v /usr/lib/systemd/system/vboxservice.service /sbin/restorecon: lstat(/usr/lib/systemd/system/vboxservice.service) failed: so we need to label them correctly on your system. chcon -t vboxadd_exec_t PATHTO/VBoxService chcon -t vboxadd_unit_file_t PATHTO/vboxservice.service *** Bug 976939 has been marked as a duplicate of this bug. *** *** Bug 976936 has been marked as a duplicate of this bug. *** This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |