VirtualBox 302 - Fedora 11 - SELinux issue
Posted: 14. Jul 2009, 13:56
Hello,
Running VB on Fedora 11 host, I just upgraded from 300 to 302 and I get now SELinux message when running Windows XP guest :
Running VB on Fedora 11 host, I just upgraded from 300 to 302 and I get now SELinux message when running Windows XP guest :
I am going to modify SELinux policies to avoid these messages but it will be nice to fixe this problem in next VB update as this problem did not exist in VB 300 and has been introducted by VB 302Résumé
SELinux is preventing VirtualBox (unconfined_java_t) "mmap_zero" to <Unknown> (unconfined_java_t).
Description détaillée
SELinux denied access requested by VirtualBox. The current boolean settings do not allow this access. If you have not setup VirtualBox to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access.
Autoriser l'accès
Confined processes can be configured to to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. The boolean allow_unconfined_mmap_low is set incorrectly.
Boolean Description:
Allow unconfined domain to map low memory in the kernel
Commande de correction
# setsebool -P allow_unconfined_mmap_low 1
Informations complémentaires
Contexte source: unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023
Contexte cible: unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023
Objets du contexte: None [ memprotect ]
source: VirtualBox
Chemin de la source: /usr/lib/virtualbox/VirtualBox
Port: <Inconnu>
Hôte: myhost.mydomain
Paquetages RPM source: VirtualBox-3.0.2_49928_fedora11-1
Paquetages RPM cible:
Politique RPM: selinux-policy-3.6.12-62.fc11
Selinux activé: True
Type de politique: targeted
MLS activé: True
Mode strict: Enforcing
Nom du plugin: catchall_boolean
Nom de l'hôte: myhost.mydomain
Plateforme: Linux myhost.mydomain 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue Jun 16 23:19:53 EDT 2009 i686 athlon
Compteur d'alertes: 487
Première alerte: mar. 14 juil. 2009 13:21:30 CEST
Dernière alerte: mar. 14 juil. 2009 13:22:14 CEST
ID local: 4d971e85-09d8-469b-bfba-5d8f9b23667f
Numéros des lignes:
Messages d'audit bruts :
node=myhost.mydomain type=AVC msg=audit(1247570534.54:36222): avc: denied { mmap_zero } for pid=14698 comm="VirtualBox" scontext=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 tclass=memprotect
node=myhost.mydomain type=SYSCALL msg=audit(1247570534.54:36222): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=100000 a2=0 a3=4022 items=0 ppid=14598 pid=14698 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="VirtualBox" exe="/usr/lib/virtualbox/VirtualBox" subj=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 key=(null)