Bug 473500 - SELinux dienies VirtualBox (unconfined_t) "execmod" to /usr/lib/virtualbox/VirtualBox.so (lib_t).
SELinux dienies VirtualBox (unconfined_t) "execmod" to /usr/lib/virtualbox/Vi...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-28 16:33 EST by Stan Trzmiel
Modified: 2008-12-16 10:08 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-16 10:08:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Whole troubleshooting tool alert dumped (5.15 KB, text/plain)
2008-11-28 16:33 EST, Stan Trzmiel
no flags Details

  None (edit)
Description Stan Trzmiel 2008-11-28 16:33:28 EST
Created attachment 325043 [details]
Whole troubleshooting tool alert dumped

Description of problem:
SELinux block launch of VirtualBox with message in SELinux troubleshooting tool
SELinux dienies VirtualBox (unconfined_t) "execmod" to /usr/lib/virtualbox/VirtualBox.so (lib_t). 

Suggested attempt to relabel the file causes another SElinux denial
SELinux denies restorecon (setfiles_t) "read write" do unconfined_t.

Turning the "allow_execmod" on doesn't help also

Version-Release number of selected component (if applicable):
VirtualBox-2.0.6_39765_fedora9-1.i386.rpm
selinux-policy-3.5.13-18.fc10.noarch
libselinux-2.0.73-1.fc10.i386



How reproducible:
100%

Steps to Reproduce:
Install VirtualBox-2.0.6_39765_fedora9-1.i386.rpm and try to start the application

  
Actual results: VirtualBox manager won't start


Expected results: VirtualBox should appear and alow me to turn my virtual machine on.


Additional info:
Comment 1 Daniel Walsh 2008-12-01 15:47:23 EST
The read/write problem is a leaked file descriptor.  Are you using konsole?


Does 

chcon -t testrel_shlib_t /usr/lib/virtualbox/*.so

Fix the problem?

Please attach the execmod avc?
Comment 2 Daniel Walsh 2008-12-01 15:49:14 EST
Also please report this as a bug to virtualbox since they are building their libraries incorrectly.
 
Attach a link to:

http://people.redhat.com/~drepper/selinux-mem.html
Comment 3 Stan Trzmiel 2008-12-03 18:29:41 EST
Here's raw audit message:
node=localhost.localdomain type=AVC msg=audit(1228346126.832:54): avc: denied { execmod } for pid=3546 comm="VirtualBox" path="/usr/lib/virtualbox/VirtualBox.so" dev=sda2 ino=132980 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1228346126.832:54): arch=40000003 syscall=125 success=no exit=-13 a0=9c1000 a1=309000 a2=5 a3=bf80b200 items=0 ppid=3025 pid=3546 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="VirtualBox" exe="/usr/lib/virtualbox/VirtualBox" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null) 

______________________________________________________________________________


I can't change SELinux context

Execututing "chcon -t testrel_shlib_t /usr/lib/virtualbox/*.so" as root gives "chcon: unable to change context `/usr/lib/virtualbox/VRDPAuth.so' to `system_u:object_r:testrel_shlib_t:s0': Wrong argument" and another SELinux alert: "SELinux deny chcon (unconfined_t) "mac_admin" to unconfined_t.

Update to selinux-policy-3.5.13-26.fc10.noarch doesn't help. The same app under Fedora 9 works just fine.
Comment 4 Daniel Walsh 2008-12-04 08:08:43 EST
Typo 

# chcon -t textrel_shlib_t /usr/lib/virtualbox/*.so

Fixed in selinux-policy-3.5.13-31.fc10.noarch
Comment 5 Stan Trzmiel 2008-12-16 07:03:32 EST
HI,

It works great now thanks.

Note You need to log in before you can comment on or make changes to this bug.