Bug 829118 - SELinux is preventing /usr/bin/bash from 'execute_no_trans' accesses on the file /usr/lib/virtualbox/VBoxManage.
SELinux is preventing /usr/bin/bash from 'execute_no_trans' accesses on the f...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:a22054d42521528841bade2b8ed...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-06 00:04 EDT by Devon Janitz
Modified: 2012-09-20 13:28 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-22 05:53:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
bug report log (3.33 KB, text/x-log)
2012-08-19 18:12 EDT, Ladislav Nesnera
no flags Details

  None (edit)
Description Devon Janitz 2012-06-06 00:04:12 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.3.7-1.fc17.x86_64
time:           Wed 06 Jun 2012 12:03:55 AM EDT

description:
:SELinux is preventing /usr/bin/bash from 'execute_no_trans' accesses on the file /usr/lib/virtualbox/VBoxManage.
:
:*****  Plugin restorecon (93.9 confidence) suggests  *************************
:
:If you want to fix the label. 
:/usr/lib/virtualbox/VBoxManage default label should be bin_t.
:Then you can run restorecon.
:Do
:# /sbin/restorecon -v /usr/lib/virtualbox/VBoxManage
:
:*****  Plugin leaks (6.10 confidence) suggests  ******************************
:
:If you want to ignore bash trying to execute_no_trans access the VBoxManage file, because you believe it should not need this access.
:Then you should report this as a bug.  
:You can generate a local policy module to dontaudit this access.
:Do
:# grep /usr/bin/bash /var/log/audit/audit.log | audit2allow -D -M mypol
:# semodule -i mypol.pp
:
:*****  Plugin catchall (1.43 confidence) suggests  ***************************
:
:If you believe that bash should be allowed execute_no_trans access on the VBoxManage file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep sh /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:boinc_t:s0
:Target Context                system_u:object_r:textrel_shlib_t:s0
:Target Objects                /usr/lib/virtualbox/VBoxManage [ file ]
:Source                        sh
:Source Path                   /usr/bin/bash
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           bash-4.2.28-1.fc17.x86_64
:Target RPM Packages           VirtualBox-4.1-4.1.16_78094_fedora17-1.x86_64
:Policy RPM                    selinux-policy-3.10.0-128.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.7-1.fc17.x86_64 #1 SMP Mon
:                              May 21 22:32:19 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Wed 06 Jun 2012 12:01:55 AM EDT
:Last Seen                     Wed 06 Jun 2012 12:01:55 AM EDT
:Local ID                      68b1d800-8534-4ed6-b592-b0a46b8d53ec
:
:Raw Audit Messages
:type=AVC msg=audit(1338955315.409:103): avc:  denied  { execute_no_trans } for  pid=2719 comm="sh" path="/usr/lib/virtualbox/VBoxManage" dev="dm-1" ino=3158964 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:textrel_shlib_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1338955315.409:103): arch=x86_64 syscall=execve success=no exit=EACCES a0=95f180 a1=95f0d0 a2=95e100 a3=18 items=0 ppid=2714 pid=2719 auid=4294967295 uid=992 gid=989 euid=992 suid=992 fsuid=992 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:boinc_t:s0 key=(null)
:
:Hash: sh,boinc_t,textrel_shlib_t,file,execute_no_trans
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Devon Janitz 2012-06-20 19:10:52 EDT
This has occured again and came after today kernel upgrade from Fedora.
Comment 2 Miroslav Grepl 2012-06-21 01:54:39 EDT
PLease execute

# restorecon -R -v /usr/lib/virtualbox/VBoxManage
Comment 3 Devon Janitz 2012-06-21 09:36:58 EDT
I did run /sbin/restorecon -v /usr/lib/virtualbox/VBoxManage from the SELinux truoble shooter and that did not work and returns the results of 

Traceback (most recent call last):
  File "/bin/sealert", line 50, in <module>
    from setroubleshoot.util import get_identity, load_plugins
  File "/usr/lib64/python2.7/site-packages/setroubleshoot/util.py", line 283, in <module>
    file_types =  setools.seinfo(setools.ATTRIBUTE,"file_type")[0]["types"]
  File "/usr/lib64/python2.7/site-packages/setools/__init__.py", line 49, in seinfo
    dict_list = _seinfo.seinfo(setype, name)
RuntimeError: No default policy found.

I will try your command now and see what the results are over the next day or so.
Thanks, Devon
Comment 4 Devon Janitz 2012-06-21 09:45:31 EDT
I did run the command restorecon -R -v /usr/lib/virtualbox/VBoxManage and this did not correct the error.  Seems to occur at each restart.
Devon
Comment 5 Miroslav Grepl 2012-06-21 10:43:22 EDT
Ok, what does

grep -r VBoxManage /etc/selinux/targeted/contexts/
Comment 6 Devon Janitz 2012-06-21 12:12:20 EDT
It returns the results below, and VBoxManage is highlighted in red color.

/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/virtualbox/VBoxManage	--	system_u:object_r:bin_t:s0
Comment 7 Miroslav Grepl 2012-06-22 05:53:56 EDT
Which looks correct.

# ls -Z /usr/lib/virtualbox/VBoxManage
Comment 8 Devon Janitz 2012-06-22 11:09:57 EDT
Good day Miroslav,
Results are below.  Random thing this morning, the error is not occurring anymore as of this AM when I turned on my computer.  Really have no idea why at this time.  If this makes it a dead issue, thanks very much for your time.  I know you can not fix something that is not broke.
Devon

[root@fisc-dcj-xpsf ~]# ls -Z /usr/lib/virtualbox/VBoxManage
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/lib/virtualbox/VBoxManage
[root@fisc-dcj-xpsf ~]#
Comment 9 Miroslav Grepl 2012-06-25 08:32:01 EDT
Ok, reopen if this happens again.
Comment 10 Ladislav Nesnera 2012-08-19 18:12:16 EDT
Created attachment 605546 [details]
bug report log

I have met with "SELinux is preventing /usr/bin/bash from 'execute_no_trans'.. " many times. This bug should be reopened, I think. Have a look at log file.
Comment 11 Devon Janitz 2012-09-13 19:25:46 EDT
This is still returning on each udpate of Virtual Box.  Is this a bug that should be passed to them?

SELinux is preventing /usr/bin/bash from execute_no_trans access on the file /usr/lib/virtualbox/VBoxManage.

*****  Plugin restorecon (93.9 confidence) suggests  *************************

If you want to fix the label. 
/usr/lib/virtualbox/VBoxManage default label should be bin_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /usr/lib/virtualbox/VBoxManage

*****  Plugin leaks (6.10 confidence) suggests  ******************************

If you want to ignore bash trying to execute_no_trans access the VBoxManage file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/bin/bash /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (1.43 confidence) suggests  ***************************

If you believe that bash should be allowed execute_no_trans access on the VBoxManage file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:boinc_t:s0
Target Context                system_u:object_r:textrel_shlib_t:s0
Target Objects                /usr/lib/virtualbox/VBoxManage [ file ]
Source                        sh
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.2.37-2.fc17.x86_64
Target RPM Packages           VirtualBox-4.2-4.2.0_80737_fedora17-1.x86_64
Policy RPM                    selinux-policy-3.10.0-146.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux fisc-dcj-fedora 3.5.3-1.fc17.x86_64 #1 SMP
                              Wed Aug 29 18:46:34 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2012-09-13 19:19:38 EDT
Last Seen                     2012-09-13 19:19:38 EDT
Local ID                      41ae567b-a967-46ac-bc35-ed9ad997186f

Raw Audit Messages
type=AVC msg=audit(1347578378.82:74): avc:  denied  { execute_no_trans } for  pid=1818 comm="sh" path="/usr/lib/virtualbox/VBoxManage" dev="dm-1" ino=2763345 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:textrel_shlib_t:s0 tclass=file


type=SYSCALL msg=audit(1347578378.82:74): arch=x86_64 syscall=execve success=no exit=EACCES a0=15d9160 a1=15d84c0 a2=15d8120 a3=18 items=0 ppid=1813 pid=1818 auid=4294967295 uid=992 gid=989 euid=992 suid=992 fsuid=992 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:boinc_t:s0 key=(null)

Hash: sh,boinc_t,textrel_shlib_t,file,execute_no_trans

audit2allow

#============= boinc_t ==============
allow boinc_t textrel_shlib_t:file execute_no_trans;

audit2allow -R

#============= boinc_t ==============
allow boinc_t textrel_shlib_t:file execute_no_trans;
Comment 12 Miroslav Grepl 2012-09-17 05:20:00 EDT
Ok, what does

# rpm -qa --scripts |grep semanage

I believe the VirtualBox package adds this labeling.
Comment 13 Ladislav Nesnera 2012-09-17 16:34:20 EDT
# rpm -qa --scripts |grep semanage
#

HD worked hard but empty row was result :(
Comment 14 Ladislav Nesnera 2012-09-17 16:44:19 EDT
repoquery -i VirtualBox

Name        : VirtualBox
Version     : 4.1.18
Release     : 1.fc17
Architecture: x86_64
Size        : 69619314
Packager    : <http://nonfree.rpmfusion.org/>
Group       : Development/Tools
URL         : http://www.virtualbox.org/wiki/VirtualBox
Repository  : rpmfusion-free-updates
Summary     : A general-purpose full virtualizer for PC hardware
Source      : VirtualBox-4.1.18-1.fc17.src.rpm
Description :
A general-purpose full virtualizer and emulator for 32-bit and
64-bit x86 based PC-compatible machines.
Comment 15 Devon Janitz 2012-09-17 18:25:25 EDT
Submitted rpm -qa --scripts |grep semanage and got no results returned.  Could this be a result that I have already issued the command restorecon -R -v /usr/lib/virtualbox/VBoxManage to correct the problem again?
Devon
Comment 16 Daniel Walsh 2012-09-18 08:16:43 EDT
No.  Strange that you you would not find one semanage command.

You could also look for semodule.

What does semodule -l output, looking for something referring to VirtualBox or Vbox.
Comment 17 Devon Janitz 2012-09-18 08:40:08 EDT
Output is shortened to that area.

uuidd	1.0.0	
varnishd	1.2.0	
vbetool	1.6.0	
vdagent	1.0.0	
vhostmd	1.0.0	
virt	1.4.2	
vlock	1.0.1	
vmware	2.3.1	
vnstatd	1.0.0	
vpn	1.14.0	
w3c	1.0.0
Comment 18 Daniel Walsh 2012-09-18 09:20:39 EDT
Nothing obvious there?

rpm -qf /etc/selinux/targeted/modules/active/modules/*pp | grep -v selinux-policy
Comment 19 Devon Janitz 2012-09-19 23:23:10 EDT
I entered the command above and it did not return anything.  So I removed the grep portion and it returned "selinux-policy-targeted-3.10.0-146.fc17.noarch" over a hundred times I believe.
Comment 20 Miroslav Grepl 2012-09-20 02:47:05 EDT
What does

# grep -r VBoxManage /etc/selinux/targeted/contexts
Comment 21 Ladislav Nesnera 2012-09-20 06:44:22 EDT
I can confirm the same behaviour as in the Comment #19

# grep -r VBoxManage /etc/selinux/targeted/contexts
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/virtualbox/VBoxManage	--	system_u:object_r:bin_t:s0

(for selinux-policy.noarch 0:3.10.0-149.fc17)
Comment 22 Miroslav Grepl 2012-09-20 06:46:39 EDT
Ok, 

# restorecon -v /usr/lib/virtualbox/VBoxManage

# ls -Z /usr/lib/virtualbox/VBoxManage
Comment 23 Ladislav Nesnera 2012-09-20 09:15:35 EDT
# restorecon -v /usr/lib/virtualbox/VBoxManage
<blank row>

# ls -Z /usr/lib/virtualbox/VBoxManage
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/lib/virtualbox/VBoxManage
Comment 24 Miroslav Grepl 2012-09-20 13:28:15 EDT
Ok, it looks correct.

Note You need to log in before you can comment on or make changes to this bug.