Hi All,
Please find the security contexts of necessary files
root@arm-cortex-a15:~# sestatus -v
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t:s0
Init context: system_u:system_r:init_t:s0
File contexts:
Controlling terminal: unconfined_u:object_r:user_tty_device_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:bin_t:s0 -> system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/lib/libc.so.6 system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0
Do I need to change any of the file contexts to avoid the issue of login failure?
Thanks,
Srinivas.
On Wed, Aug 19, 2015 at 6:05 PM, Srinivasa Rao Ragolu <sragolu@xxxxxxxxxx> wrote:
As I could not able to login, changed /etc/selinux/config from enforcing to permissive. Executed above commands.On Wed, Aug 19, 2015 at 6:04 PM, Srinivasa Rao Ragolu <sragolu@xxxxxxxxxx> wrote:Hi Daniel,Please see the output of security contexts. Also no usr is mounted.root@arm-cortex-a15:~# ls -lZ /bin/login*lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 17 Aug 18 15:06 /bin/login -> /bin/login.shadow-rwxr-xr-x. 1 root root system_u:object_r:login_exec_t:s0 31756 Aug 12 07:18 /bin/login.shadowroot@arm-cortex-a15:~# mount/dev/root on / type ext2 (rw,relatime,seclabel)sysfs on /sys type sysfs (rw,relatime,seclabel)selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)proc on /proc type proc (rw,relatime)none on /dev type devtmpfs (rw,relatime,seclabel,size=514956k,nr_inodes=128739,mode=755)devpts on /dev/pts type devpts (rw,relatime,seclabel,gid=5,mode=620,ptmxmode=000)tmpfs on /var/volatile type tmpfs (rw,relatime,seclabel)tmpfs on /media/ram type tmpfs (rw,relatime,seclabel)please guide if you find an clue from above outputThanks,Srinivas.On Wed, Aug 19, 2015 at 12:38 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:ls -lZ /usr/bin/login*
By any chance is the /usr directory mounted NOSUID?
On 08/18/2015 07:58 AM, Srinivasa Rao Ragolu wrote:
Hi,
I am building for embedded platform. Could not able to get exact version. But can provide info about recipe in yocto.
Any pointers please?
Thanks,Srinivas.
On Tue, Aug 18, 2015 at 8:17 PM, Miroslav Grepl <mgrepl@xxxxxxxxxx> wrote:
On 08/18/2015 04:37 PM, Srinivasa Rao Ragolu wrote:
> Hi Daniel,
>
> I have checked the file_contexts file
>
> * #grep :login_exec_t contexts/files/file_contexts*
> /bin/login--system_u:object_r:login_exec_t:s0
> /bin/login\.shadow--system_u:object_r:login_exec_t:s0
> /bin/login\.tinylogin--system_u:object_r:login_exec_t:s0
> /usr/kerberos/sbin/login\.krb5--system_u:object_r:login_exec_t:s0
>
> Now If I run with permissive mode. I Could see below login programs are
> running
> (Here I gave unconfined_r as role and s0 as range)
>
> * 1109 root 3540 S /bin/login --*
> * 1111 root 0 SW [kauditd]*
> * 1113 root 3020 S -sh*
> *
> *
> But when I run with enforcing mode I get same error
>
> /*arm-cortex-a15 login: root*/
> /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
> /*Would you like to enter a security context? [N] Y*/
> /*role: unconfined_r*/
> /*level: s0*/
> /*[ 1252.885468] type=1400 audit(1439898856.140:13): avc: denied {
> transition } for pid=1120 comm="login" path="/bin/bash" dev="mmcblk0"
> ino=58115 scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
> /*[ 1252.887219] type=1400 audit(1439898856.140:14): avc: denied {
> transition } for pid=1120 comm="login" path="/bin/bash" dev="mmcblk0"
> ino=58115 scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
> /*Cannot execute /bin/sh: Permission denied*/
> /*
> */
> /*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15 /dev/console*/
> /*
> */
> /*arm-cortex-a15 login:*/
> /*
> */
> /*
> */
> /Please guide me what is going wrong and how to resolve this issue./
> /
> /
> /Thanks,/
> /Srinivas./
>
> On Tue, Aug 18, 2015 at 6:52 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx
> <mailto:dwalsh@xxxxxxxxxx>> wrote:
>
> What is the path to the login program? What is it labeled? The
> problem is login is running with the wrong context.
>
> It should be labeled login_exec_t
>
> grep :login_exec_t /etc/selinux/targeted/contexts/files/file_contexts
> /bin/login -- system_u:object_r:login_exec_t:s0
> /usr/bin/login -- system_u:object_r:login_exec_t:s0
> /usr/kerberos/sbin/login\.krb5 --
> system_u:object_r:login_exec_t:s0
>
>
> init_t is supposed to transition to local_login_t when executing the
> login program.
>
>
> On 08/18/2015 06:17 AM, Srinivasa Rao Ragolu wrote:
>> Hi Daniel,
>>
>> Thanks for quick reply. Please find first time boot log with
>> lableling and reboot.
>>
>> Also find second time boot log when I created /.autorelablel.
>>
>> Somehow I could not able to login as root.
>>
>> Your help is really appriciated.
>>
>> Thanks,
>> Srinivas.
>>
>> On Tue, Aug 18, 2015 at 6:16 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx
>> <mailto:dwalsh@xxxxxxxxxx>> wrote:
>>
>> Looks like you have a labeling issue.
>>
>> touch /.autorelabel; reboot
>>
>> Should fix the issues.
>>
>>
>>
>> On 08/18/2015 04:53 AM, Srinivasa Rao Ragolu wrote:
>>> Hi All,
>>>
>>> I have very new to selinux. Today I have ported selinux to my
>>> embedded platform with targeted policy+enforcing.
>>>
>>> When I try to boot, it completes labeling filesystem. But I
>>> could not able to login using root.. See my error log...
>>>
>>> /*arm-cortex-a15 login: root*/
>>> /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
>>> /*Would you like to enter a security context? [N] Y*/
>>> /*role: unconfined_r*/
>>> /*level: s0*/
>>> /*[ 1252.885468] type=1400 audit(1439898856.140:13): avc:
>>> denied { transition } for pid=1120 comm="login"
>>> path="/bin/bash" dev="mmcblk0" ino=58115
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>> tclass=process*/
>>> /*[ 1252.887219] type=1400 audit(1439898856.140:14): avc:
>>> denied { transition } for pid=1120 comm="login"
>>> path="/bin/bash" dev="mmcblk0" ino=58115
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>> tclass=process*/
>>> /*Cannot execute /bin/sh: Permission denied*/
>>> /*
>>> */
>>> /*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15
>>> /dev/console*/
>>> /*
>>> */
>>> /*arm-cortex-a15 login:*/
>>> /*
>>> */
>>> Please help me.. How can I solve this issue and achieve
>>> normal boot.
>>>
>>>
>>> Thanks,
>>> Srinivas.
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
>>
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
What does
$ rpm -q selinux-policy-targeted
?
Also could you try to reinstall the selinux-policy-targeted to see if it
blows up?
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux