#2683 closed defect (fixed)

SELinux is preventing VirtualBox from loading VirtualBox.so which requires text relocation => Fixed in SVN

Reported by:	MALDATA	Owned by:
Component:	other	Version:	VirtualBox 2.0.6
Keywords:		Cc:
Guest type:	other	Host type:	Linux

Description

After installing the "All distributions" binary on a Fedora 10 machine and starting it for
the first time (after installing the compat-libstdc++-33-3.2.3-64 package), I got an
SELinux AVC denial which stated:

SELinux is preventing VirtualBox from loading /opt/VirtualBox-2.0.6/VirtualBox.so which
requires text relocation.

The VirtualBox application attempted to load /opt/VirtualBox-2.0.6/VirtualBox.so which 
requires text relocation. This is a potential security problem. Most libraries do not need
this permission. Libraries are sometimes coded incorrectly and request this permission.
The SELinux Memory Protection Tests web page explains how to remove this requirement. You
can configure SELinux temporarily to allow /opt/VirtualBox-2.0.6/VirtualBox.so to use 
relocation as a workaround, until the library is fixed. Please file a bug report against
this package.

I gave it access by doing

# chcon -t textrel_shlib_t /opt/VirtualBox-2.0.6/VirtualBox.so
# semanage fcontext -a -t textrel_shlib_t /opt/VirtualBox-2.0.6/VirtualBox.so

So the workaround is easy, but it might as well be fixed.

Change History (6)

comment:1 by Frank Mehnert, 16 years ago

I'm not an expert in SELinux. Our installer contains several chcon instructions:

chcon -t texrel_shlib_t /usr/lib/virtualbox/*VBox* > /dev/null 2>&1
chcon -t texrel_shlib_t /usr/lib/virtualbox/VRDPAuth.so > /dev/null 2>&1
chcon -t texrel_shlib_t /usr/lib/virtualbox/components/VBox*.so > /dev/null 2>&1
chcon -t java_exec_t    /usr/lib/virtualbox/VirtualBox
chcon -t java_exec_t    /usr/lib/virtualbox/VBoxSDL
chcon -t java_exec_t    /usr/lib/virtualbox/VBoxHeadless
chcon -t java_exec_t    /usr/lib/virtualbox/vboxwebsrv

The line

chcon -t texrel_shlib_t /usr/lib/virtualbox/VirtualBox.so > /dev/null 2>&1

is obviously missing. The question is if adding this line is enough. Any maybe there is a better fix for the java_exec_t rules as this sounds a bit hacky. Note that such a context is necessary as VirtualBox has the same requirement as other recompilers (execute code in allocated memory).

comment:2 by Frank Mehnert, 16 years ago

Summary:	SELinux is preventing VirtualBox from loading VirtualBox.so which requires text relocation → SELinux is preventing VirtualBox from loading VirtualBox.so which requires text relocation => Fixed in SVN

See my last comment, a better fix is welcome.

comment:3 by Laszlo Beres, 16 years ago

As I see the latest selinux policy contains this fcontext. But the postinstall script is wrong: there is texrel_shlib_t context instead of textrel_shlib_t

comment:4 by Frank Mehnert, 16 years ago

This E-mail explains that texrel_shlib_t is an alias for textrel_shlib_t. Hmm, I would like to know since when textrel_shlib_t is available ...

comment:5 by Laszlo Beres, 16 years ago

Well, you're right, I didn't know this.

comment:6 by Frank Mehnert, 16 years ago

Resolution:	→ fixed
Status:	new → closed

Should be fixed in 2.1.4.

Note: See TracTickets for help on using tickets.

Download in other formats: