Opened 8 years ago
Closed 8 years ago
#15622 closed defect (fixed)
SELinux denials on Guest Additions Fedora 23 after upgrade of VB -> believed fixed in 5.1.2 and later
| Reported by: | gats | Owned by: | |
|---|---|---|---|
| Component: | guest additions/x11/graphics | Version: | VirtualBox 5.1.0 |
| Keywords: | selinux python3 lightdm-gtk-gre fedora f23 | Cc: | |
| Guest type: | Linux | Host type: | Windows |
Description
After installing VB 5.1.0 on a Windows 10 host (upgrade from VB 5.0.24) and starting a Fedora 23 guest (installed under previous VB version, as were guest tools), the virtual machine now displays SELinux denials on the following on login: lightdm-gtk-gre python3 Both binaries are trying to read the following library: /var/lib/VBoxGuestAdditions/lib/libGL.so.1 The following are the details of the denials. As a side note, 3D acceleration was enabled for the guest.
lightdm-gtk-gre:
SELinux is preventing lightdm-gtk-gre from read access on the lnk_file /var/lib/VBoxGuestAdditions/lib/libGL.so.1.
.........
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_lib_t:s0
Target Objects /var/lib/VBoxGuestAdditions/lib/libGL.so.1 [lnk_file ]
Source lightdm-gtk-gre
Source Path lightdm-gtk-gre
Port <Unknown>
Host xxxxxxxxxxxxxxxxxxxxxxx
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-158.21.fc23.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name xxxxxxxxxxxxxxxxx
Platform Linux xxxxxxxxxxxxxxxx 4.5.7-202.fc23.x86_64 #1 SMP
Tue Jun 28 18:22:51 UTC 2016 x86_64 x86_64
Alert Count 6
First Seen 2016-07-14 15:01:28 UTC
Last Seen 2016-07-15 12:26:25 UTC
Local ID 9f05718a-3d02-49ad-a0c2-a9e85af92154
Raw Audit Messages
type=AVC msg=audit(1468585585.217:260): avc: denied { read } for pid=2144 comm="lightdm-gtk-gre" name="libGL.so.1" dev="dm-1" ino=11012059 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
Hash: lightdm-gtk-gre,xdm_t,var_lib_t,lnk_file,read
python3:
SELinux is preventing python3 from read access on the lnk_file /var/lib/VBoxGuestAdditions/lib/libGL.so.1.
Additional Information:
Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_lib_t:s0
Target Objects /var/lib/VBoxGuestAdditions/lib/libGL.so.1 [lnk_file ]
Source python3
Source Path python3
Port <Unknown>
Host xxxxxxxxxxxxxxxxxxxx
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-158.21.fc23.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name xxxxxxxxxxxxxxxxxxxx
Platform Linux xxxxxxxxxxxxxxxxx 4.5.7-202.fc23.x86_64 #1 SMP
Tue Jun 28 18:22:51 UTC 2016 x86_64 x86_64
Alert Count 6
First Seen 2016-07-14 15:02:47 UTC
Last Seen 2016-07-15 12:31:27 UTC
Local ID 478c7c2b-9677-4f2b-9476-05096ffb9e82
Raw Audit Messages
type=AVC msg=audit(1468585887.493:291): avc: denied { read } for pid=3076 comm="python3" name="libGL.so.1" dev="dm-1" ino=11012059 scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
Hash: python3,blueman_t,var_lib_t,lnk_file,read
Change History (9)
comment:1 by , 8 years ago
| Component: | guest additions → guest additions/x11/graphics |
|---|---|
| Summary: | SELinux denials on Guest Additions Fedora 23 after upgrade of VB → SELinux denials on Guest Additions Fedora 23 after upgrade of VB -> believed fixed in 5.1.2 and later |
comment:2 by , 8 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Please reopen if still relevant with 5.1.2.
comment:3 by , 8 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
Reopening as requested in #15757. Not sure what the rules are, but i think it won't hurt if i copypaste the whole description here.
Host: Windows 10
Guest: Fedora 24
VB Version: 5.1.2 r108956
SElinux policy RPM: selinux-policy-3.13.1-191.8.fc24.noarch
After installing guest utils from vboxadditions ISO and rebooting i am unable to login through lightdm. TTY login and subsequent sudo commands take around 3 minutes to complete before displaying password prompt.
On TTY login there is a message:
-- <username>: /home/username: change directory failed: Permission denied
Logging in with home = "/"
Next SELinux errors can be found in SETroubleshooter:
1) type=AVC msg=audit(1470524669.804:243): avc: denied { read } for pid=2312 comm="python3" name="libEGL.so.1" dev="dm-0" ino=809787 scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
2) type=AVC msg=audit(1470524785.137:165): avc: denied { setattr } for pid=1026 comm="lightdm-gtk-gre" name="fontconfig" dev="dm-0" ino=1042445 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
3) type=AVC msg=audit(1470525245.130:195): avc: denied { search } for pid=1157 comm="login" name="schmellow" dev="dm-0" ino=144275 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
4) type=AVC msg=audit(1470525301.238:202): avc: denied { execute } for pid=1237 comm="(fprintd)" name="fprintd" dev="dm-0" ino=141886 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
5) type=AVC msg=audit(1470561779.225:188): avc: denied { read } for pid=1131 comm="lightdm-gtk-gre" name="3830d5c3ddfd5cd38a049b759396e72e-le64.cache-7" dev="dm-0" ino=1047101 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=0
follow-up: 5 comment:4 by , 8 years ago
Could you try the latest test Guest Additions from here? Please use the Guest Additions .iso image directly.
comment:5 by , 8 years ago
Replying to frank:
Could you try the latest test Guest Additions from here? Please use the Guest Additions .iso image directly.
I've just tried version 5.1.3-109844, and it does not seem to solve the issue. I've forgot to mention the kernel version. Original report is based on 4.6.4 kernel.
I have two more kernels installed: one left from system installation (4.5.5), and the new one (4.6.5) that came today. So i've went and installed additions for them too.
Ultimately the issue persists, although behaviour for those kernels is a little different (for "freshly" installed additions i guess? for 4.6.4 i just reinstalled them through run file). So, i still can't login through lightdm, but instead of denying access silently it just crashes with the message in .xsession-error: "Fatal IO error 11 (Resource temporarily unavailable) on X server :0."
Also the delay on tty login is gone. Permission issue with home directory is still there though.
comment:6 by , 8 years ago
Those sound like new issues, not the same one. Sometimes there are problems the first time you boot a different kernel to the one which was enabled when you installed the Additions. If that is what is happening then booting those other kernels again should make the new issue go away. If not we can take a look after the SELinux issue is solved.
comment:7 by , 8 years ago
I was able to install and use lightdm on a fully updated Fedora 24 guest with Additions installed. Could you please provide a test case which starts with freshly installing a virtual machine?
comment:8 by , 8 years ago
Now by chance I did see that SELinux error on my Fedora 24 virtual machine, which still has lightdm set up on it. The two SELinux problems were:
SELinux is preventing gnome-session-b from read access on the file /var/lib/gdm/ .config/dconf/user. ***** Plugin restorecon (94.8 confidence) suggests ************************ If you want to fix the label. /var/lib/gdm/.config/dconf/user default label should be xdm_var_lib_t. Then you can run restorecon. Do # /sbin/restorecon -v /var/lib/gdm/.config/dconf/user ***** Plugin catchall_labels (5.21 confidence) suggests ******************* If you want to allow gnome-session-b to have read access on the user file Then you need to change the label on /var/lib/gdm/.config/dconf/user Do # semanage fcontext -a -t FILE_TYPE '/var/lib/gdm/.config/dconf/user' where FILE_TYPE is one of the following: [...]
and
SELinux is preventing login from search access on the directory /home/vbox. ***** Plugin restorecon (94.8 confidence) suggests ************************ If you want to fix the label. /home/vbox default label should be user_home_dir_t. Then you can run restorecon. Do # /sbin/restorecon -v /home/vbox ***** Plugin catchall_labels (5.21 confidence) suggests ******************* If you want to allow login to have search access on the vbox directory Then you need to change the label on /home/vbox Do # semanage fcontext -a -t FILE_TYPE '/home/vbox' where FILE_TYPE is one of the following: [...]
I did the two restorecon commands and was able to log in. The problem did not re-appear on reboot.
comment:9 by , 8 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
I suspect that this is some problem with Fedora SELinux policy and lightdm. I will close for now, but feel free to re-open it if you find additional indications that it is VirtualBox-related. (If you find a way to reproduce it, please indicate that and also try it without Additions installed.)
I believe that r62394 will fix this.