Unable to login with targeted policy, enforcing mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi All,

I am new to selinux stuff and I am trying to port selinux to embedded platform using meta-selinux layer from yocto project (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/?h=dizzy)

Problem:

Not able to login with root user. root user is not acceptable while booting in enforcing mode of targeted policy.

Observations:

with permissive mode, was able to login and captured below details. Using sysvinit as init manager.

#ps
 714 root      4920 S    /lib/udev/udevd -d
  825 root      4916 S    /lib/udev/udevd -d
  826 root      4916 S    /lib/udev/udevd -d
 1022 root      2172 S    {udhcpc} /bin/busybox /sbin/udhcpc -R -n -p /var/run
 1039 messageb 11204 S    /usr/bin/dbus-daemon --system
 1043 distcc    3124 S N  /usr/bin/distccd --pid-file=/var/run/distcc.pid --da
 1044 distcc    3124 S N  /usr/bin/distccd --pid-file=/var/run/distcc.pid --da
 1051 root      2172 S    {syslogd} /bin/busybox /sbin/syslogd -n -O /var/log/
 1054 root      2172 S    {klogd} /bin/busybox /sbin/klogd -n
 1057 distcc    3124 S N  /usr/bin/distccd --pid-file=/var/run/distcc.pid --da
 1060 avahi     3172 S    avahi-daemon: running [arm-cortex-a15.local]
 1061 avahi     3172 S    avahi-daemon: chroot helper
 1072 distcc    3124 S N  /usr/bin/distccd --pid-file=/var/run/distcc.pid --da
 1076 root      3544 S    /bin/login --
 1078 root         0 SW   [kauditd]
 1080 root      3020 S    -sh
 1081 root      2504 R    {ps} /bin/busybox /bin/ps

#sestatus -v
root@arm-cortex-a15:~# sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Process contexts:
Current context:                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context:                   system_u:system_r:init_t:s0

File contexts:
Controlling terminal:           unconfined_u:object_r:user_tty_device_t:s0
/etc/passwd                     system_u:object_r:etc_t:s0
/etc/shadow                     system_u:object_r:shadow_t:s0
/bin/bash                       system_u:object_r:shell_exec_t:s0
/bin/login                      system_u:object_r:bin_t:s0 -> system_u:object_r:login_exec_t:s0
/bin/sh                         system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/init                      system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/lib/libc.so.6                  system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0


root@arm-cortex-a15:~# sesearch -T -t login_exec_t 
Found 3 semantic te rules:
   type_transition rlogind_t login_exec_t : process remote_login_t; 
   type_transition telnetd_t login_exec_t : process remote_login_t; 
   type_transition getty_t login_exec_t : process local_login_t; 


root@arm-cortex-a15:~# sesearch -T -t getty_exec_t 
Found 2 semantic te rules:
   type_transition init_t getty_exec_t : process getty_t; 
   type_transition initrc_t getty_exec_t : process getty_t; 


root@arm-cortex-a15:~# grep getty_exec_t /etc/selinux/targeted/contexts/files/file-contexts
/sbin/.*getty -- system_u:object_r:getty_exec_t:s0
root@arm-cortex-a15:~# 

policy rules in /etc/selinux/targeted/contexts/files/file-contexts are

/bin/bash       --      system_u:object_r:shell_exec_t:s0
/bin/login      --      system_u:object_r:login_exec_t:s0
/bin/d?ash      --      system_u:object_r:shell_exec_t:s0
/sbin/.*getty   --      system_u:object_r:getty_exec_t:s0

As of now I am completely struck. Please help me to resolve this issue. 
What modifications are needed to login as root under targeted policy and enforcing mode?

Thanks and Regards,
Srinivas.



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux