Opened 15 years ago
Closed 13 years ago
#4526 closed defect (fixed)
VirtualBox 3.0.2 - Fedora 11 - SELinux issue
Reported by: | didierg | Owned by: | |
---|---|---|---|
Component: | other | Version: | VirtualBox 3.0.2 |
Keywords: | Cc: | ||
Guest type: | Windows | Host type: | Linux |
Description
Running VB on Fedora 11 host, I just upgraded from 300 to 302 and I get now SELinux message when running Windows XP guest :
Résumé
SELinux is preventing VirtualBox (unconfined_java_t) "mmap_zero" to <Unknown> (unconfined_java_t).
Description détaillée
SELinux denied access requested by VirtualBox. The current boolean settings do not allow this access. If you have not setup VirtualBox to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access.
Autoriser l'accès
Confined processes can be configured to to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. The boolean allow_unconfined_mmap_low is set incorrectly.
Boolean Description:
Allow unconfined domain to map low memory in the kernel
Commande de correction
# setsebool -P allow_unconfined_mmap_low 1
Informations complémentaires
Contexte source: unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 Contexte cible: unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 Objets du contexte: None [ memprotect ] source: VirtualBox Chemin de la source: /usr/lib/virtualbox/VirtualBox Port: <Inconnu> Hôte: myhost.mydomain Paquetages RPM source: VirtualBox-3.0.2_49928_fedora11-1 Paquetages RPM cible: Politique RPM: selinux-policy-3.6.12-62.fc11 Selinux activé: True Type de politique: targeted MLS activé: True Mode strict: Enforcing Nom du plugin: catchall_boolean Nom de l'hôte: myhost.mydomain Plateforme: Linux myhost.mydomain 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue Jun 16 23:19:53 EDT 2009 i686 athlon Compteur d'alertes: 487 Première alerte: mar. 14 juil. 2009 13:21:30 CEST Dernière alerte: mar. 14 juil. 2009 13:22:14 CEST ID local: 4d971e85-09d8-469b-bfba-5d8f9b23667f Numéros des lignes:
Messages d'audit bruts :
node=myhost.mydomain type=AVC msg=audit(1247570534.54:36222): avc: denied { mmap_zero } for pid=14698 comm="VirtualBox" scontext=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 tclass=memprotect
node=myhost.mydomain type=SYSCALL msg=audit(1247570534.54:36222): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=100000 a2=0 a3=4022 items=0 ppid=14598 pid=14698 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="VirtualBox" exe="/usr/lib/virtualbox/VirtualBox" subj=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 key=(null)
I am going to modify SELinux policies to avoid these messages but it will be nice to fixe this problem in next VB update as this problem did not exist in VB 3.0.0 and has been introducted by VB 3.0.2
Please reopen if still relevant with VBox 4.0.4.