Bug 473500 - SELinux dienies VirtualBox (unconfined_t) "execmod" to /usr/lib/virtualbox/VirtualBox.so (lib_t).
Summary: SELinux dienies VirtualBox (unconfined_t) "execmod" to /usr/lib/virtualbox/Vi...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 10
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-11-28 21:33 UTC by Stan Trzmiel
Modified: 2008-12-16 15:08 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-12-16 15:08:07 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Whole troubleshooting tool alert dumped (5.15 KB, text/plain)
2008-11-28 21:33 UTC, Stan Trzmiel
no flags Details

Description Stan Trzmiel 2008-11-28 21:33:28 UTC
Created attachment 325043 [details]
Whole troubleshooting tool alert dumped

Description of problem:
SELinux block launch of VirtualBox with message in SELinux troubleshooting tool
SELinux dienies VirtualBox (unconfined_t) "execmod" to /usr/lib/virtualbox/VirtualBox.so (lib_t). 

Suggested attempt to relabel the file causes another SElinux denial
SELinux denies restorecon (setfiles_t) "read write" do unconfined_t.

Turning the "allow_execmod" on doesn't help also

Version-Release number of selected component (if applicable):
VirtualBox-2.0.6_39765_fedora9-1.i386.rpm
selinux-policy-3.5.13-18.fc10.noarch
libselinux-2.0.73-1.fc10.i386



How reproducible:
100%

Steps to Reproduce:
Install VirtualBox-2.0.6_39765_fedora9-1.i386.rpm and try to start the application

  
Actual results: VirtualBox manager won't start


Expected results: VirtualBox should appear and alow me to turn my virtual machine on.


Additional info:

Comment 1 Daniel Walsh 2008-12-01 20:47:23 UTC
The read/write problem is a leaked file descriptor.  Are you using konsole?


Does 

chcon -t testrel_shlib_t /usr/lib/virtualbox/*.so

Fix the problem?

Please attach the execmod avc?

Comment 2 Daniel Walsh 2008-12-01 20:49:14 UTC
Also please report this as a bug to virtualbox since they are building their libraries incorrectly.
 
Attach a link to:

http://people.redhat.com/~drepper/selinux-mem.html

Comment 3 Stan Trzmiel 2008-12-03 23:29:41 UTC
Here's raw audit message:
node=localhost.localdomain type=AVC msg=audit(1228346126.832:54): avc: denied { execmod } for pid=3546 comm="VirtualBox" path="/usr/lib/virtualbox/VirtualBox.so" dev=sda2 ino=132980 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1228346126.832:54): arch=40000003 syscall=125 success=no exit=-13 a0=9c1000 a1=309000 a2=5 a3=bf80b200 items=0 ppid=3025 pid=3546 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="VirtualBox" exe="/usr/lib/virtualbox/VirtualBox" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null) 

______________________________________________________________________________


I can't change SELinux context

Execututing "chcon -t testrel_shlib_t /usr/lib/virtualbox/*.so" as root gives "chcon: unable to change context `/usr/lib/virtualbox/VRDPAuth.so' to `system_u:object_r:testrel_shlib_t:s0': Wrong argument" and another SELinux alert: "SELinux deny chcon (unconfined_t) "mac_admin" to unconfined_t.

Update to selinux-policy-3.5.13-26.fc10.noarch doesn't help. The same app under Fedora 9 works just fine.

Comment 4 Daniel Walsh 2008-12-04 13:08:43 UTC
Typo 

# chcon -t textrel_shlib_t /usr/lib/virtualbox/*.so

Fixed in selinux-policy-3.5.13-31.fc10.noarch

Comment 5 Stan Trzmiel 2008-12-16 12:03:32 UTC
HI,

It works great now thanks.


Note You need to log in before you can comment on or make changes to this bug.