Hi Daniel,
I have checked the file_contexts file
#grep :login_exec_t contexts/files/file_contexts
/bin/login -- system_u:object_r:login_exec_t:s0
/bin/login\.shadow -- system_u:object_r:login_exec_t:s0
/bin/login\.tinylogin -- system_u:object_r:login_exec_t:s0
/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t:s0
Now If I run with permissive mode. I Could see below login programs are running
(Here I gave unconfined_r as role and s0 as range)
1109 root 3540 S /bin/login --
1111 root 0 SW [kauditd]
1113 root 3020 S -sh
But when I run with enforcing mode I get same error
arm-cortex-a15 login: root
Last login: Tue Aug 18 11:36:58 UTC 2015 on console
Would you like to enter a security context? [N] Y
role: unconfined_r
level: s0
[ 1252.885468] type=1400 audit(1439898856.140:13): avc: denied { transition } for pid=1120 comm="login" path="/bin/bash" dev="mmcblk0" ino=58115 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
[ 1252.887219] type=1400 audit(1439898856.140:14): avc: denied { transition } for pid=1120 comm="login" path="/bin/bash" dev="mmcblk0" ino=58115 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
Cannot execute /bin/sh: Permission denied
MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15 /dev/console
arm-cortex-a15 login:
Please guide me what is going wrong and how to resolve this issue.
Thanks,
Srinivas.
On Tue, Aug 18, 2015 at 6:52 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
What is the path to the login program? What is it labeled? The problem is login is running with the wrong context.
It should be labeled login_exec_t
grep :login_exec_t /etc/selinux/targeted/contexts/files/file_contexts
/bin/login -- system_u:object_r:login_exec_t:s0
/usr/bin/login -- system_u:object_r:login_exec_t:s0
/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t:s0
init_t is supposed to transition to local_login_t when executing the login program.
On 08/18/2015 06:17 AM, Srinivasa Rao Ragolu wrote:
Hi Daniel,
Thanks for quick reply. Please find first time boot log with lableling and reboot.
Also find second time boot log when I created /.autorelablel.
Somehow I could not able to login as root.
Your help is really appriciated.
Thanks,Srinivas.
On Tue, Aug 18, 2015 at 6:16 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
Looks like you have a labeling issue.
touch /.autorelabel; reboot
Should fix the issues.
On 08/18/2015 04:53 AM, Srinivasa Rao Ragolu wrote:
Hi All,
I have very new to selinux. Today I have ported selinux to my embedded platform with targeted policy+enforcing.
When I try to boot, it completes labeling filesystem. But I could not able to login using root.. See my error log...
arm-cortex-a15 login: rootLast login: Tue Aug 18 11:36:58 UTC 2015 on consoleWould you like to enter a security context? [N] Yrole: unconfined_rlevel: s0[ 1252.885468] type=1400 audit(1439898856.140:13): avc: denied { transition } for pid=1120 comm="login" path="/bin/bash" dev="mmcblk0" ino=58115 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process[ 1252.887219] type=1400 audit(1439898856.140:14): avc: denied { transition } for pid=1120 comm="login" path="/bin/bash" dev="mmcblk0" ino=58115 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=processCannot execute /bin/sh: Permission denied
MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15 /dev/console
arm-cortex-a15 login:
Please help me.. How can I solve this issue and achieve normal boot.
Thanks,Srinivas.
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
