Re: Please help me in resolving this issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok so this is using your own policy.  Using system v init usually meant you went from init_t @ initrc_exec_t -> initrc_t @ mydomain_exec_t -> mydomain_t

You usually did not transition from the init system directly to the final domain.  

Are your init script labeled initrc_exec_t?


On 08/24/2015 05:15 AM, Srinivasa Rao Ragolu wrote:
Hi Daniel,

Sure. Sorry for late repoly. I am sharing details now.

As I am using embedded platform, so referring yocto bitbake recipes for building selinux layer. (ie: http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/selinux)

Policy is targeted/enforcing. version is 2.3.

root@arm-cortex-a15:~# rpm -qa | grep selinux
packagegroup-selinux-policycoreutils-lic-1.0-r0.cortexa15hf_vfp
packagegroup-core-selinux-lic-1.0-r0.cortexa15hf_vfp
selinux-config-lic-0.1-r4.arm_cortex_a15
libselinux-lic-2.3-r0.cortexa15hf_vfp
selinux-config-0.1-r4.arm_cortex_a15
libselinux-2.3-r0.cortexa15hf_vfp
libselinux-bin-2.3-r0.cortexa15hf_vfp
libselinux-python-2.3-r0.cortexa15hf_vfp
pam-plugin-selinux-1.1.6-r2.4.2.cortexa15hf_vfp
system-config-selinux-2.3-r0.cortexa15hf_vfp
packagegroup-selinux-policycoreutils-1.0-r0.cortexa15hf_vfp
packagegroup-core-selinux-1.0-r0.cortexa15hf_vfp


I am using sysvinit. every daemon is running on its own context. Please see attached rootfs log.


Thanks and Regards,
Srinivas.

On Fri, Aug 21, 2015 at 12:49 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:


On 08/19/2015 11:51 PM, Srinivasa Rao Ragolu wrote:
Hi All,

Please find the security contexts of necessary files

root@arm-cortex-a15:~# sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Process contexts:
Current context:                unconfined_u:unconfined_r:unconfined_t:s0
Init context:                   system_u:system_r:init_t:s0

File contexts:
Controlling terminal:           unconfined_u:object_r:user_tty_device_t:s0
/etc/passwd                     system_u:object_r:etc_t:s0
/etc/shadow                     system_u:object_r:shadow_t:s0
/bin/bash                       system_u:object_r:shell_exec_t:s0
/bin/login                      system_u:object_r:bin_t:s0 -> system_u:object_r:login_exec_t:s0
/bin/sh                         system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/init                      system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/lib/libc.so.6                  system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0

Do I need to change any of the file contexts to avoid the issue of login failure?

The problem is the login program is not transitioning from init_t to local_login_t. 

You never answered the question about what version of selinux-policy

rpm -q selinux-policy

Is this system using systemd?

Are other programs running in different context beside kernel_t and init_t?

Thanks,
Srinivas.

On Wed, Aug 19, 2015 at 6:05 PM, Srinivasa Rao Ragolu <sragolu@xxxxxxxxxx> wrote:
As I could not able to login, changed /etc/selinux/config from enforcing to permissive. Executed above commands.

On Wed, Aug 19, 2015 at 6:04 PM, Srinivasa Rao Ragolu <sragolu@xxxxxxxxxx> wrote:
Hi Daniel,

Please see the output of security contexts. Also no usr is mounted.

root@arm-cortex-a15:~# ls -lZ /bin/login*
lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0           17 Aug 18 15:06 /bin/login -> /bin/login.shadow
-rwxr-xr-x. 1 root root system_u:object_r:login_exec_t:s0 31756 Aug 12 07:18 /bin/login.shadow
root@arm-cortex-a15:~# mount
/dev/root on / type ext2 (rw,relatime,seclabel)
sysfs on /sys type sysfs (rw,relatime,seclabel)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
proc on /proc type proc (rw,relatime)
none on /dev type devtmpfs (rw,relatime,seclabel,size=514956k,nr_inodes=128739,mode=755)
devpts on /dev/pts type devpts (rw,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
tmpfs on /var/volatile type tmpfs (rw,relatime,seclabel)
tmpfs on /media/ram type tmpfs (rw,relatime,seclabel)


please guide if you find an clue from above output

Thanks,
Srinivas.


On Wed, Aug 19, 2015 at 12:38 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
ls -lZ /usr/bin/login*

By any chance is the /usr directory mounted NOSUID?


On 08/18/2015 07:58 AM, Srinivasa Rao Ragolu wrote:
Hi,

I am building for embedded platform. Could not able to get exact version. But can provide info about recipe in yocto.


Any pointers please?

Thanks,
Srinivas.

On Tue, Aug 18, 2015 at 8:17 PM, Miroslav Grepl <mgrepl@xxxxxxxxxx> wrote:
On 08/18/2015 04:37 PM, Srinivasa Rao Ragolu wrote:
> Hi Daniel,
>
> I have checked the file_contexts file
>
> * #grep :login_exec_t contexts/files/file_contexts*
> /bin/login--system_u:object_r:login_exec_t:s0
> /bin/login\.shadow--system_u:object_r:login_exec_t:s0
> /bin/login\.tinylogin--system_u:object_r:login_exec_t:s0
> /usr/kerberos/sbin/login\.krb5--system_u:object_r:login_exec_t:s0
>
> Now If I run with permissive mode. I Could see below login programs are
> running
> (Here I gave unconfined_r as role and s0 as range)
>
> * 1109 root      3540 S    /bin/login --*
> * 1111 root         0 SW   [kauditd]*
> * 1113 root      3020 S    -sh*
> *
> *
> But when I run with enforcing mode I get same error
>
> /*arm-cortex-a15 login: root*/
> /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
> /*Would you like to enter a security context? [N]  Y*/
> /*role: unconfined_r*/
> /*level: s0*/
> /*[ 1252.885468] type=1400 audit(1439898856.140:13): avc:  denied  {
> transition } for  pid=1120 comm="login" path="/bin/bash" dev="mmcblk0"
> ino=58115 scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
> /*[ 1252.887219] type=1400 audit(1439898856.140:14): avc:  denied  {
> transition } for  pid=1120 comm="login" path="/bin/bash" dev="mmcblk0"
> ino=58115 scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
> /*Cannot execute /bin/sh: Permission denied*/
> /*
> */
> /*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15 /dev/console*/
> /*
> */
> /*arm-cortex-a15 login:*/
> /*
> */
> /*
> */
> /Please guide me what is going wrong and how to resolve this issue./
> /
> /
> /Thanks,/
> /Srinivas./
>
> On Tue, Aug 18, 2015 at 6:52 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx
> <mailto:dwalsh@xxxxxxxxxx>> wrote:
>
>     What is the path to the login program?  What is it labeled?  The
>     problem is login is running with the wrong context.
>
>     It should be labeled login_exec_t
>
>     grep :login_exec_t /etc/selinux/targeted/contexts/files/file_contexts
>     /bin/login    --    system_u:object_r:login_exec_t:s0
>     /usr/bin/login    --    system_u:object_r:login_exec_t:s0
>     /usr/kerberos/sbin/login\.krb5    --
>     system_u:object_r:login_exec_t:s0
>
>
>     init_t is supposed to transition to local_login_t when executing the
>     login program.
>
>
>     On 08/18/2015 06:17 AM, Srinivasa Rao Ragolu wrote:
>>     Hi Daniel,
>>
>>     Thanks for quick reply. Please find first time boot log with
>>     lableling and reboot.
>>
>>     Also find second time boot log when I created /.autorelablel.
>>
>>     Somehow I could not able to login as root.
>>
>>     Your help is really appriciated.
>>
>>     Thanks,
>>     Srinivas.
>>
>>     On Tue, Aug 18, 2015 at 6:16 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx
>>     <mailto:dwalsh@xxxxxxxxxx>> wrote:
>>
>>         Looks like you have a labeling issue.
>>
>>         touch /.autorelabel; reboot
>>
>>         Should fix the issues.
>>
>>
>>
>>         On 08/18/2015 04:53 AM, Srinivasa Rao Ragolu wrote:
>>>         Hi All,
>>>
>>>         I have very new to selinux. Today I have ported selinux to my
>>>         embedded platform with targeted policy+enforcing.
>>>
>>>         When I try to boot, it completes labeling filesystem. But I
>>>         could not able to login using root.. See my error log...
>>>
>>>         /*arm-cortex-a15 login: root*/
>>>         /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
>>>         /*Would you like to enter a security context? [N]  Y*/
>>>         /*role: unconfined_r*/
>>>         /*level: s0*/
>>>         /*[ 1252.885468] type=1400 audit(1439898856.140:13): avc:
>>>          denied  { transition } for  pid=1120 comm="login"
>>>         path="/bin/bash" dev="mmcblk0" ino=58115
>>>         scontext=system_u:system_r:init_t:s0
>>>         tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>>         tclass=process*/
>>>         /*[ 1252.887219] type=1400 audit(1439898856.140:14): avc:
>>>          denied  { transition } for  pid=1120 comm="login"
>>>         path="/bin/bash" dev="mmcblk0" ino=58115
>>>         scontext=system_u:system_r:init_t:s0
>>>         tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>>         tclass=process*/
>>>         /*Cannot execute /bin/sh: Permission denied*/
>>>         /*
>>>         */
>>>         /*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15
>>>         /dev/console*/
>>>         /*
>>>         */
>>>         /*arm-cortex-a15 login:*/
>>>         /*
>>>         */
>>>         Please help me.. How can I solve this issue and achieve
>>>         normal boot.
>>>
>>>
>>>         Thanks,
>>>         Srinivas.
>>>
>>>
>>>         --
>>>         selinux mailing list
>>>         selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>         <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>>>         https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
>>
>>     --
>>     selinux mailing list
>>     selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>     <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>>     https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>

What does

$ rpm -q selinux-policy-targeted

?

Also could you try to reinstall the selinux-policy-targeted to see if it
blows up?

--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux






--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux