VirtualBox

Ticket #2683 (closed defect: fixed)

Opened 5 years ago

Last modified 4 years ago

SELinux is preventing VirtualBox from loading VirtualBox.so which requires text relocation => Fixed in SVN

Reported by: MALDATA Owned by:
Priority: minor Component: other
Version: VirtualBox 2.0.6 Keywords:
Cc: Guest type: other
Host type: Linux

Description

After installing the "All distributions" binary on a Fedora 10 machine and starting it for
the first time (after installing the compat-libstdc++-33-3.2.3-64 package), I got an
SELinux AVC denial which stated:

SELinux is preventing VirtualBox from loading /opt/VirtualBox-2.0.6/VirtualBox.so which
requires text relocation.

The VirtualBox application attempted to load /opt/VirtualBox-2.0.6/VirtualBox.so which 
requires text relocation. This is a potential security problem. Most libraries do not need
this permission. Libraries are sometimes coded incorrectly and request this permission.
The SELinux Memory Protection Tests web page explains how to remove this requirement. You
can configure SELinux temporarily to allow /opt/VirtualBox-2.0.6/VirtualBox.so to use 
relocation as a workaround, until the library is fixed. Please file a bug report against
this package. 

I gave it access by doing

# chcon -t textrel_shlib_t /opt/VirtualBox-2.0.6/VirtualBox.so
# semanage fcontext -a -t textrel_shlib_t /opt/VirtualBox-2.0.6/VirtualBox.so

So the workaround is easy, but it might as well be fixed.

Change History

comment:1 Changed 5 years ago by frank

I'm not an expert in SELinux. Our installer contains several chcon instructions:

chcon -t texrel_shlib_t /usr/lib/virtualbox/*VBox* > /dev/null 2>&1
chcon -t texrel_shlib_t /usr/lib/virtualbox/VRDPAuth.so > /dev/null 2>&1
chcon -t texrel_shlib_t /usr/lib/virtualbox/components/VBox*.so > /dev/null 2>&1
chcon -t java_exec_t    /usr/lib/virtualbox/VirtualBox
chcon -t java_exec_t    /usr/lib/virtualbox/VBoxSDL
chcon -t java_exec_t    /usr/lib/virtualbox/VBoxHeadless
chcon -t java_exec_t    /usr/lib/virtualbox/vboxwebsrv

The line

chcon -t texrel_shlib_t /usr/lib/virtualbox/VirtualBox.so > /dev/null 2>&1

is obviously missing. The question is if adding this line is enough. Any maybe there is a better fix for the java_exec_t rules as this sounds a bit hacky. Note that such a context is necessary as VirtualBox has the same requirement as other recompilers (execute code in allocated memory).

comment:2 Changed 5 years ago by frank

  • Summary changed from SELinux is preventing VirtualBox from loading VirtualBox.so which requires text relocation to SELinux is preventing VirtualBox from loading VirtualBox.so which requires text relocation => Fixed in SVN

See my last comment, a better fix is welcome.

comment:3 Changed 5 years ago by lberes

As I see the latest selinux policy contains this fcontext. But the postinstall script is wrong: there is texrel_shlib_t context instead of textrel_shlib_t

comment:4 Changed 5 years ago by frank

 This E-mail explains that texrel_shlib_t is an alias for textrel_shlib_t. Hmm, I would like to know since when textrel_shlib_t is available ...

comment:5 Changed 5 years ago by lberes

Well, you're right, I didn't know this.

comment:6 Changed 5 years ago by frank

  • Status changed from new to closed
  • Resolution set to fixed

Should be fixed in 2.1.4.

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use