Ticket #4526 (closed defect: fixed)

Opened 5 years ago

Last modified 3 years ago

VirtualBox 3.0.2 - Fedora 11 - SELinux issue

Reported by: didierg Owned by:
Priority: major Component: other
Version: VirtualBox 3.0.2 Keywords:
Cc: Guest type: Windows
Host type: Linux


Running VB on Fedora 11 host, I just upgraded from 300 to 302 and I get now SELinux message when running Windows XP guest :


SELinux is preventing VirtualBox (unconfined_java_t) "mmap_zero" to <Unknown> (unconfined_java_t).

Description détaillée

SELinux denied access requested by VirtualBox. The current boolean settings do not allow this access. If you have not setup VirtualBox to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access.

Autoriser l'accès

Confined processes can be configured to to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. The boolean allow_unconfined_mmap_low is set incorrectly.

Boolean Description:

Allow unconfined domain to map low memory in the kernel

Commande de correction

# setsebool -P allow_unconfined_mmap_low 1

Informations complémentaires

Contexte source: unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 Contexte cible: unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 Objets du contexte: None [ memprotect ] source: VirtualBox Chemin de la source: /usr/lib/virtualbox/VirtualBox Port: <Inconnu> Hôte: myhost.mydomain Paquetages RPM source: VirtualBox-3.0.2_49928_fedora11-1 Paquetages RPM cible: Politique RPM: selinux-policy-3.6.12-62.fc11 Selinux activé: True Type de politique: targeted MLS activé: True Mode strict: Enforcing Nom du plugin: catchall_boolean Nom de l'hôte: myhost.mydomain Plateforme: Linux myhost.mydomain #1 SMP Tue Jun 16 23:19:53 EDT 2009 i686 athlon Compteur d'alertes: 487 Première alerte: mar. 14 juil. 2009 13:21:30 CEST Dernière alerte: mar. 14 juil. 2009 13:22:14 CEST ID local: 4d971e85-09d8-469b-bfba-5d8f9b23667f Numéros des lignes:

Messages d'audit bruts :

node=myhost.mydomain type=AVC msg=audit(1247570534.54:36222): avc: denied { mmap_zero } for pid=14698 comm="VirtualBox" scontext=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 tclass=memprotect

node=myhost.mydomain type=SYSCALL msg=audit(1247570534.54:36222): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=100000 a2=0 a3=4022 items=0 ppid=14598 pid=14698 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="VirtualBox" exe="/usr/lib/virtualbox/VirtualBox" subj=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 key=(null)

I am going to modify SELinux policies to avoid these messages but it will be nice to fixe this problem in next VB update as this problem did not exist in VB 3.0.0 and has been introducted by VB 3.0.2

Change History

comment:1 Changed 3 years ago by frank

  • Status changed from new to closed
  • Resolution set to fixed

Please reopen if still relevant with VBox 4.0.4.

Note: See TracTickets for help on using tickets.
ContactPrivacy policyTerms of Use