Bug 653504

Summary:	app-emulation/virtualbox-5.2.10 on selinux - .../work/VirtualBox-5.2.10/out/linux.amd64/release/bin/tstVMStructRC: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
Product:	Gentoo Linux	Reporter:	Doppler <sevener.gentoo>
Component:	Current packages	Assignee:	Viorel Munteanu <ceamac>
Status:	RESOLVED TEST-REQUEST
Severity:	normal	CC:	masterzorag, powerman-asdf, selinux
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	last 1000 lines of build.log

Description Doppler 2018-04-18 18:56:19 UTC

type=AVC msg=audit(1524077491.354:15184): avc:  denied  { execmod } for  pid=4910 comm="tstVMStructRC" path="/var/tmp/portage/app-emulation/virtualbox-5.2.10/work/VirtualBox-5.2.10/out/linux.amd64/release/bin/tstVMStructRC" dev="sda3" ino=40903543 scontext=staff_u:sysadm_r:portage_sandbox_t tcontext=staff_u:object_r:portage_tmp_t tclass=file permissive=0                                             
type=SYSCALL msg=audit(1524077491.354:15184): arch=40000003 syscall=125 success=no exit=-13 a0=56647000 a1=17000 a2=5 a3=ffd9b460 items=0 ppid=30079 pid=4910 auid=1000 uid=250 gid=250 euid=250 suid=250 fsuid=250 egid=250 sgid=250 fsgid=250 tty=pts1 ses=3 comm="tstVMStructRC" exe="/var/tmp/portage/app-emulation/virtualbox-5.2.10/work/VirtualBox-5.2.10/out/linux.amd64/release/bin/tstVMStructRC" subj=staff_u:sysadm_r:portage_sandbox_t key=(null)ARCH=i386 SYSCALL=mprotect AUID="defceb" UID="portage" GID="portage" EUID="portage" SUID="portage" FSUID="portage" EGID="portage" SGID="portage" FSGID="portage"                                                               
type=PROCTITLE msg=audit(1524077491.354:15184): proctitle="/var/tmp/portage/app-emulation/virtualbox-5.2.10/work/VirtualBox-5.2.10/out/linux.amd64/release/bin/tstVMStructRC"


!!! When you file a bug report, please include the following information:
GENTOO_VM=  CLASSPATH="" JAVA_HOME="/etc/java-config-2/current-system-vm" JAVACFLAGS="" COMPILER=""

Portage 2.3.30 (python 3.5.5-final-0, targets/desktop, gcc-7.3.0, glibc-2.26-r6, 4.16.2-gentoo x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-4.16.2-gentoo-x86_64-Intel-R-_Core-TM-_i7-4700MQ_CPU_@_2.40GHz-with-gentoo-2.4.1
KiB Mem:     8080156 total,   1732092 free
KiB Swap:   16777212 total,  16777212 free
Timestamp of repository gentoo: Wed, 18 Apr 2018 11:51:12 +0000
Head commit of repository gentoo: 9bf8d7a258a5582e33506634ae206c5330dce3ad

Head commit of repository esteid: 756c53647a6a7c5f8189b6f0ab4328bb8c5f4503

Timestamp of repository raiagent: Thu, 29 Mar 2018 03:04:13 +0000
Head commit of repository raiagent: 45b2c6ecfc636d84f171bf54b4db906de26ecfac

Timestamp of repository ssnb: Fri, 06 Apr 2018 20:37:35 +0000
Head commit of repository ssnb: de6d7d85d7891c0cc14e927247e45b198e7611af

Timestamp of repository steam-overlay: Thu, 29 Mar 2018 03:04:27 +0000
Head commit of repository steam-overlay: 4d62e7ea233eeb847db136e777045149657edfe4

Timestamp of repository weuxel: Tue, 03 Apr 2018 18:11:39 +0000
Head commit of repository weuxel: be39eafbd672640ee8bad5cace8ad1d990875c4b

sh bash 4.4_p19
ld GNU ld (Gentoo 2.30 p1) 2.30.0
ccache version 3.3.4 [disabled]
app-shells/bash:          4.4_p19::gentoo
dev-java/java-config:     2.2.0-r4::gentoo
dev-lang/perl:            5.26.1-r2::gentoo
dev-lang/python:          2.7.14-r1::gentoo, 3.5.5::gentoo, 3.6.5::gentoo
dev-util/ccache:          3.3.4-r1::gentoo
dev-util/cmake:           3.11.1::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.4.1-r2::gentoo
sys-apps/openrc:          0.35.5::gentoo
sys-apps/sandbox:         2.13::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69-r4::gentoo
sys-devel/automake:       1.16.1-r1::gentoo
sys-devel/binutils:       2.30-r1::gentoo
sys-devel/gcc:            6.4.0-r1::gentoo, 7.2.0-r1::gentoo, 7.3.0-r1::gentoo
sys-devel/gcc-config:     1.9.1::gentoo
sys-devel/libtool:        2.4.6-r5::gentoo
sys-devel/make:           4.2.1-r3::gentoo
sys-kernel/linux-headers: 4.16-r1::gentoo (virtual/os-headers)
sys-libs/glibc:           2.26-r6::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/gentoo
    priority: -1000

esteid
    location: /var/db/repos/esteid
    sync-type: git
    sync-uri: https://github.com/open-eid/gentoo.git
    masters: gentoo

raiagent
    location: /var/db/repos/raiagent
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/raiagent.git
    masters: gentoo

ssnb
    location: /var/db/repos/ssnb
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/ssnb.git
    masters: gentoo

steam-overlay
    location: /var/db/repos/steam-overlay
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/steam-overlay.git
    masters: gentoo

weuxel
    location: /var/db/repos/weuxel
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/weuxel.git
    masters: gentoo

local
    location: /usr/local/portage
    masters: gentoo
    priority: 10

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs cgroup config-protect-if-modified distlocks ebuild-locks fakeroot fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch parallel-install preserve-libs protect-owned sandbox selinux sesandbox sfperms strict strict-keepdir unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="https://mirror.dkm.cz/gentoo/"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi alsa amd64 audit bluetooth branding bzip2 cairo caps cdda cdr cjk consolekit crypt curl cxx dbus dri dri3 dts dvd dvdr emboss encode exif fam ffmpeg flac gif glamor gpm gtk gtk3 hardened iconv icu ipv6 jit jpeg lcms ldap libass libnotify lz4 lzma lzo mad matroska mng mp3 mp4 mpeg mtp multilib ncurses nls nptl offensive ogg open_perms opengl openmp openssl pam pango pcre pdf peer_perms pgo pie png policykit ppds ptpax pulseaudio qt5 raw readline samba sdl seccomp selinux smartcard socks5 sound spell ssl ssp startup-notification svg threads tiff truetype udev udisks unconfined unicode upower usb v4l vaapi vorbis wayland webp wifi wxwidgets x264 xattr xcb xml xtpax xv xvid zlib zsh-completion" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon plan sheets stage words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_5" PYTHON_TARGETS="python2_7 python3_5" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XFCE_PLUGINS="brightness clock trash power" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, ENV_UNSET, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 Doppler 2018-04-18 18:58:47 UTC

Created attachment 528016 [details]
last 1000 lines of build.log

Comment 2 Doppler 2018-04-18 20:39:51 UTC

Oh, this as well. Builds fine after allowing both.

type=AVC msg=audit(1524080426.816:15252): avc:  denied  { execute } for  pid=18921 comm="VBoxTpG" path="/etc/ld.so.cache" dev="sda3" ino=55575004 scontext=staff_u:sysadm_r:portage_sandbox_t tcontext=staff_u:object_r:ld_so_cache_t tclass=file permissive=0

Comment 3 Doppler 2018-06-14 13:21:39 UTC

Scanelf says tstVMStructRC has textrel.
 TYPE    PAX   PERM ENDIAN STK/REL/PTL TEXTREL RPATH BIND FILE 
ET_DYN PeMRxS 0755 LE RW- R-- RW- TEXTREL   -   NOW /var/tmp/portage/app-emulation/virtualbox-5.2.12/work/VirtualBox-5.2.12/out/linux.amd64/release/bin/tstVMStructRC

Comment 4 Alex Efros 2018-09-20 19:20:45 UTC

Exactly same happens on hardened kernel (PaX) without SELinux with app-emulation/virtualbox-5.2.14-r1:

build log:
kmk_builtin_redirect -wo /var/tmp/portage/app-emulation/virtualbox-5.2.14-r1/work/VirtualBox-5.2.14/out/linux.amd64/release/obj/VMM/tstVMStructRC.h -- /var/tmp/portage/app-emulation/virtualbox-5.2.14-r1/work/VirtualBox-5.2.14/out/linux.amd64/release/bin/tstVMStructRC
/var/tmp/portage/app-emulation/virtualbox-5.2.14-r1/work/VirtualBox-5.2.14/out/linux.amd64/release/bin/tstVMStructRC: error while loading shared libraries: cannot make segment writable for relocation: Permission denied
kmk: *** [/var/tmp/portage/app-emulation/virtualbox-5.2.14-r1/work/VirtualBox-5.2.14/out/linux.amd64/release/obj/VMM/tstVMStructRC.h] Error 127
kmk: *** Deleting file `/var/tmp/portage/app-emulation/virtualbox-5.2.14-r1/work/VirtualBox-5.2.14/out/linux.amd64/release/obj/VMM/tstVMStructRC.h'
kmk: *** Waiting for unfinished jobs....

kernel log:
kern.alert: grsec: denied RWX mprotect of /var/tmp/portage/app-emulation/virtualbox-5.2.14-r1/work/VirtualBox-5.2.14/out/linux.amd64/release/bin/tstVMStructRC by /var/tmp/portage/app-emulation/virtualbox-5.2.14-r1/work/VirtualBox-5.2.14/out/linux.amd64/release/bin/tstVMStructRC[tstVMStructRC:2811] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/kmk[kmk:21361] uid/euid:250/250 gid/egid:250/250

Comment 5 Mira Ressel 2018-10-03 19:29:35 UTC

This looks like the virtualbox ebuild is executing some tests, especially considering that the executable is named "tstVMStructRC".

@Lars: Is my assumption right? If it is, the ebuild should disable those tests unless the user requests them -- there wouldn't be any selinux problems if the ebuild wasn't trying to execute virtualbox at compile time.

Comment 6 Viorel Munteanu gentoo-dev

2022-11-09 15:17:13 UTC

On my system tstVMStructRC is no longer being built.  Does this issue still occur?

Tested in 7.0.2.