Unable to change SELinux security context for the VirtualBox shared folder

Question

I'm facing the following situation. For web development purposes, I've managed to set up a CentOS 7 guest VM with VirtualBox. I've installed a LAMP stack and configured Apache (vhost, added apache member of the group vboxsf, added the firewall rule) to access VirtualBox shared folder.

Configuration setting of the GUEST CentOS 7 VM Guest machine:

Virtual machine hostname: dickwan.dev
Shared Folders:
    Name    |   Read-only   | Auto-mount
    ------------------------------------
    dickwan |   no          | yes
    ------------------------------------


Networking: NAT (with port forwarding rules)
Port Forwarding Rules:
    Name    |   Protocol    |   Host IP     |   Host Port   |   Guest IP    |   Guest Port
    --------------------------------------------------------------------------------------
    HTTP    |   TCP         |   . . .       |   8080        |   . . .       |   80
    --------------------------------------------------------------------------------------
    MariaDB |   TCP         |   . . .       |   9306        |   . . .       |   3306
    --------------------------------------------------------------------------------------
    SSH     |   TCP         |   . . .       |   2222        |   . . .       |   22

Now when in my host machine, I open a browser and navigate to (let us say):

http://dickwan.dev:8080/server-status

I get the message:

Forbidden

You don't have permission to access /server-status on this server.

I've track down the problem to a SELinux security context type problem. When SELinux is disabled everything works just fine (well... fine yeah hum).

But It feels to me like a bad practice just to shutdown the security feature. I've tried to change the context of the shared folder, but I was not able to conduct the operation

Is there a chance to have access to the shared folder through Apache without deactivating SELinux?

Answer 1

Since the security context of VBox shared folders cannot be changed, you can modify the SELinux security policy to allow Apache to work with the context. It is similar to opening a port in your firewall to expose a certain port to an application.

First, make sure your apache user is part of the group which owns the shared folder, if it is not, you can add it with a command that would look like this (the user/group names can be different on your system):

usermod -aG vboxsf apache

Then, you can use audit2allow to generate a new security policy to work around your issues. Here is a good tutorial.

If you are lazy and only want to allow Apache read access to your VBox shared folders, you can probably adapt the following my_httpd_t.te policy file and use the included commands to apply it on your system.

module my_httpd_t 1.0;

require {
        type httpd_t;
        type vmblock_t;
        class dir read;
        class file { read getattr open };
}

#============= httpd_t ==============
allow httpd_t vmblock_t:dir read;
allow httpd_t vmblock_t:file { getattr open read };

# Generated by audit2allow

# To apply this policy:
## checkmodule -M -m -o my_httpd_t.mod my_httpd_t.te
## semodule_package -o my_httpd_t.pp -m my_httpd_t.mod
## semodule -i my_httpd_t.pp
## systemctl restart httpd

Answer 2

I had a similar problem (except Fedora 20 as host and guest OS). What I did:

sudo mount -t vboxsf shared_folder /media/shared_folder

sudo ln -s /media/shared_folder/ /var/www/

sudo chcon -R --reference=/var/www /var/www/shared_folder

And this works for me :)

Before I've tried to set security context to automatically mounted shared folder (by VirtualBox) but without success thus I mount it manually