The Google Android emulator requires
execheap permissions, otherwise it segfaults when SElinux is in enforcing mode. For those who are not familiar with the Android emulator: It uses a forked version of qemu.
The two easy solutions are
- setenforce 0
- setsebool -P allow_execheap 1
Obviously, those are far from ideal from a security perspective. Also, hoping for a patch so the emulator does not need execheap might take a very long time.
In my audit logs, I found that the offending process was indeed qemu-system-x86_64-headless, however, the bundled binary and not the "original" one. Therefore, the labels differ.
semanage fcontext --list | grep qemu-kvm
/usr/bin/qemu-kvm regular file system_u:object_r:qemu_exec_t:s0ls -laZ /root/android_sdk/emulator/qemu/linux-x86_64
-rwxr-xr-x. 1 root root unconfined_u:object_r:user_home_t:s0 31174856 Aug 1 16:32 qemu-system-x86_64-headlessexecheap was the issue pointed to GPU drivers. The machine I'm running on has neither a GPU nor iGPU. The Vulkan device used is Swiftshader.
Unfortunately, I am completely new to SElinux.
- Do I need to write a custom policy for the emulator? How? And how do I run it with said policy?
- Is labeling the executable(s) enough? How do I do that?
- How else can I make it work without enabling execheap globally or setting SElinux to permissive mode?
Asked by a.ilchinger
(151 rep)
Aug 3, 2023, 11:51 AM
Last activity: Sep 17, 2023, 01:38 PM
Last activity: Sep 17, 2023, 01:38 PM