SELinux alert caused by VirtualBox after every kernel update [closed]
Actually it is not of a big deal, because VirtualBox works fine, but I want to try to understand these alerts from SELinux. In a nutshelll what I have understood is the following: vboxdrv.sh located in /usr/lib/virtualbox is trying to create a file named vbox-setup.log in /var/log but is prevented by SELinux.
- I looked up the properties of vboxdrv.sh:
-rwxr-xr-x. 1 root root
and the security context issystem_u:object_r:lib_t:s0
- vbox-setup.log does not exist, which I think its creation is prevented by SELinux. Am I right?
This is from the SETroubleshoot Details Window
SELinux is preventing vboxdrv.sh from create access on the file vbox-setup.log.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that vboxdrv.sh should be allowed create access on the vbox-setup.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'vboxdrv.sh' --raw | audit2allow -M my-vboxdrvsh
# semodule -X 300 -i my-vboxdrvsh.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:var_log_t:s0
Target Objects vbox-setup.log [ file ]
Source vboxdrv.sh
Source Path vboxdrv.sh
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.1-42.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.18.8-200.fc28.x86_64 #1 SMP Sun Sep
16 18:15:41 UTC 2018 x86_64 x86_64
Alert Count 70
First Seen 2018-03-20 20:20:00 CET
Last Seen 2018-09-22 13:54:38 CEST
Local ID d57bf0c9-f93e-4b1f-a563-290ec039e7fa
Raw Audit Messages
type=AVC msg=audit(1537617278.521:227): avc: denied { create } for pid=946 comm="vboxdrv.sh" name="vbox-setup.log" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
Hash: vboxdrv.sh,init_t,var_log_t,file,create
- Is this a bug?
- Or is there something wrong?
- Can someone please explain me what SELinux is trying to tell me?
The following added after kernel update (from 4.18.9-200 to 4.18.10-200) on 1 October: It took some time for the next kernel update. Finally, I executed both commands before updating the kernel. After the update no alert from SELinux. I also cannot find the alerts in SELinux any more.
- What happened? Are the changes I made with those two lines of commands permanent?
I checked for vbox-setup.log
in /var/log
and guess what? It is there now with four lines of messages:
Building the main VirtualBox module.
Building the net filter module.
Building the net adaptor module.
Building the PCI pass-through module.
And with file properties -rw-r--r--. 1 root root
and security context system_u:object_r:var_log_t:s0
as it should have probably.
I don't know if it's a bug in the program or in the install scripts, but in either case, you should report it. If it's happening to you, it's probably happening to others but the devs can't correct it until they're told about it.
You added a new permission rule tp SELinux and that is permanent until you remove the rule again.
vbox-setup.log
inherits the SELinux context from the directory,/var/log
, so that is normal. The programvboxdrv.sh
was probably started fromsystemd
and therefore inherits its context. Normally things started bysystemd
do not write any log files, so therefore do not need permission to create files in/var/log
.One question. Probably I can google it, but to ask is easier. How can I remove the exceptions? The reason I ask that now, there is a kernel update but also an update for SELinux. So I want to update the system with those two lines of commands 'disabled' and to see what happens after the update of the kernel and SELinux.
You probably can't, at least not directly. Once you've added that rule, updates shouldn't bring it back because the executable's name doesn't change and that's what SELinux looks for.
You use
semodule -r
to remove a ruleset again. If the name of your rule module ismy-vbox-rules
you install it withand remove it again using
You can disable a module using
semodule -d
and re-enable it again usingsemodule -e
.In the file systems the rules are found in
/var/lib/selinux/targeted/active/modules
. Subdirectory100
is for fedora provided rules, and300
and400
for your own modules.