First Last Prev Next    This bug is not in your last search results.
Bug 473500 - SELinux dienies VirtualBox (unconfined_t) "execmod" to /usr/lib/virtualbox/VirtualBox.so (lib_t).
SELinux dienies VirtualBox (unconfined_t) "execmod" to /usr/lib/virtualbox/Vi...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-28 16:33 EST by Stan Trzmiel
Modified: 2008-12-16 10:08 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-16 10:08:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Whole troubleshooting tool alert dumped (5.15 KB, text/plain)
2008-11-28 16:33 EST, Stan Trzmiel 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Stan Trzmiel 2008-11-28 16:33:28 EST 
Created attachment 325043 [details]
Whole troubleshooting tool alert dumped

Description of problem:
SELinux block launch of VirtualBox with message in SELinux troubleshooting tool
SELinux dienies VirtualBox (unconfined_t) "execmod" to /usr/lib/virtualbox/VirtualBox.so (lib_t). 

Suggested attempt to relabel the file causes another SElinux denial
SELinux denies restorecon (setfiles_t) "read write" do unconfined_t.

Turning the "allow_execmod" on doesn't help also

Version-Release number of selected component (if applicable):
VirtualBox-2.0.6_39765_fedora9-1.i386.rpm
selinux-policy-3.5.13-18.fc10.noarch
libselinux-2.0.73-1.fc10.i386



How reproducible:
100%

Steps to Reproduce:
Install VirtualBox-2.0.6_39765_fedora9-1.i386.rpm and try to start the application

  
Actual results: VirtualBox manager won't start


Expected results: VirtualBox should appear and alow me to turn my virtual machine on.


Additional info:
Comment 1 Daniel Walsh 2008-12-01 15:47:23 EST 
The read/write problem is a leaked file descriptor.  Are you using konsole?


Does 

chcon -t testrel_shlib_t /usr/lib/virtualbox/*.so

Fix the problem?

Please attach the execmod avc?
Comment 2 Daniel Walsh 2008-12-01 15:49:14 EST 
Also please report this as a bug to virtualbox since they are building their libraries incorrectly.
 
Attach a link to:

http://people.redhat.com/~drepper/selinux-mem.html
Comment 3 Stan Trzmiel 2008-12-03 18:29:41 EST 
Here's raw audit message:
node=localhost.localdomain type=AVC msg=audit(1228346126.832:54): avc: denied { execmod } for pid=3546 comm="VirtualBox" path="/usr/lib/virtualbox/VirtualBox.so" dev=sda2 ino=132980 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1228346126.832:54): arch=40000003 syscall=125 success=no exit=-13 a0=9c1000 a1=309000 a2=5 a3=bf80b200 items=0 ppid=3025 pid=3546 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="VirtualBox" exe="/usr/lib/virtualbox/VirtualBox" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null) 

______________________________________________________________________________


I can't change SELinux context

Execututing "chcon -t testrel_shlib_t /usr/lib/virtualbox/*.so" as root gives "chcon: unable to change context `/usr/lib/virtualbox/VRDPAuth.so' to `system_u:object_r:testrel_shlib_t:s0': Wrong argument" and another SELinux alert: "SELinux deny chcon (unconfined_t) "mac_admin" to unconfined_t.

Update to selinux-policy-3.5.13-26.fc10.noarch doesn't help. The same app under Fedora 9 works just fine.
Comment 4 Daniel Walsh 2008-12-04 08:08:43 EST 
Typo 

# chcon -t textrel_shlib_t /usr/lib/virtualbox/*.so

Fixed in selinux-policy-3.5.13-31.fc10.noarch
Comment 5 Stan Trzmiel 2008-12-16 07:03:32 EST 
HI,

It works great now thanks.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.