Bug 812357 - SELinux is preventing sh from execute_no_trans access on the file /usr/lib/virtualbox/VBoxManage.
Summary: SELinux is preventing sh from execute_no_trans access on the file /usr/lib/vi...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-13 13:49 UTC by Germano Massullo
Modified: 2012-04-13 16:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-13 16:08:53 UTC
Type: Bug


Attachments (Terms of Use)
ps auxZ (37.10 KB, text/plain)
2012-04-13 13:49 UTC, Germano Massullo
no flags Details
ausearch -m avc -ts today (601 bytes, text/plain)
2012-04-13 13:50 UTC, Germano Massullo
no flags Details

Description Germano Massullo 2012-04-13 13:49:50 UTC
Created attachment 577347 [details]
ps auxZ

I had the following warning

    SELinux is preventing sh from execute_no_trans access on the file /usr/lib/virtualbox/VBoxManage.
     
    ***** Plugin restorecon (99.5 confidence) suggerisce**************************
     
    Seyou want to fix the label.
    /usr/lib/virtualbox/VBoxManage default label should be bin_t.
    Quindiyou can run restorecon.
    Fai
    # /sbin/restorecon -v /usr/lib/virtualbox/VBoxManage
     
    ***** Plugin catchall (1.49 confidence) suggerisce****************************
     
    Seyou believe that sh should be allowed execute_no_trans access on the VBoxManage file by default.
    Quindiyou should report this as a bug.
    You can generate a local policy module to allow this access.
    Fai
    allow this access for now by executing:
    # grep sh /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp
     
    Informazioni addizionali:
    Contesto della sorgente       system_u:system_r:boinc_t:s0
    Contesto target               system_u:object_r:textrel_shlib_t:s0
    Oggetti target                /usr/lib/virtualbox/VBoxManage [ file ]
    Sorgente                      sh
    Percorso della sorgente       sh
    Porta                         <Sconosciuto>
    Host                          Portatile
    Sorgente Pacchetti RPM        
    Pacchetti RPM target          VirtualBox-4.1-4.1.12_77245_fedora16-1.i686
    RPM della policy              selinux-policy-3.10.0-81.fc16.noarch
    Selinux abilitato             True
    Tipo di policy                targeted
    Modalità Enforcing            Enforcing
    Host Name                     Portatile
    Piattaforma                   Linux Portatile 3.3.1-3.fc16.i686 #1 SMP Wed Apr 4
                                  19:07:24 UTC 2012 i686 i686
    Conteggio avvisi              2
    Primo visto                   ven 13 apr 2012 13:46:56 CEST
    Ultimo visto                  ven 13 apr 2012 13:49:15 CEST
     
     
    Messaggi Raw Audit
    type=AVC msg=audit(1334317755.619:238): avc:  denied  { execute_no_trans } for  pid=23249 comm="sh" path="/usr/lib/virtualbox/VBoxManage" dev="dm-0" ino=15029 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:textrel_shlib_t:s0 tclass=file
     
     
    Hash: sh,boinc_t,textrel_shlib_t,file,execute_no_trans
     
    audit2allow
     
    #============= boinc_t ==============
    allow boinc_t textrel_shlib_t:file execute_no_trans;
     
    audit2allow -R
     
    #============= boinc_t ==============
    allow boinc_t textrel_shlib_t:file execute_no_trans;







On #fedora-selinux I tried with grift to fix it, but we did not manage it

Comment 1 Germano Massullo 2012-04-13 13:50:33 UTC
Created attachment 577348 [details]
ausearch -m avc -ts today

Comment 2 Dominick Grift 2012-04-13 14:16:20 UTC
I actually misread that report.

It says that /usr/lib/virtualbox/VBoxManage is mislabeled.

So a restorecon /usr/lib/virtualbox/VBoxManage would fix it.

We did that earlier so i guess its fixed now for you


Note You need to log in before you can comment on or make changes to this bug.