Hi All,
I am new to selinux stuff and I am trying to port selinux to embedded platform using meta-selinux layer from yocto project (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/?h=dizzy)
Problem:
Not able to login with root user. root user is not acceptable while booting in enforcing mode of targeted policy.
Observations:
with permissive mode, was able to login and captured below details. Using sysvinit as init manager.
#ps
714 root 4920 S /lib/udev/udevd -d
825 root 4916 S /lib/udev/udevd -d
826 root 4916 S /lib/udev/udevd -d
1022 root 2172 S {udhcpc} /bin/busybox /sbin/udhcpc -R -n -p /var/run
1039 messageb 11204 S /usr/bin/dbus-daemon --system
1043 distcc 3124 S N /usr/bin/distccd --pid-file=/var/run/distcc.pid --da
1044 distcc 3124 S N /usr/bin/distccd --pid-file=/var/run/distcc.pid --da
1051 root 2172 S {syslogd} /bin/busybox /sbin/syslogd -n -O /var/log/
1054 root 2172 S {klogd} /bin/busybox /sbin/klogd -n
1057 distcc 3124 S N /usr/bin/distccd --pid-file=/var/run/distcc.pid --da
1060 avahi 3172 S avahi-daemon: running [arm-cortex-a15.local]
1061 avahi 3172 S avahi-daemon: chroot helper
1072 distcc 3124 S N /usr/bin/distccd --pid-file=/var/run/distcc.pid --da
1076 root 3544 S /bin/login --
1078 root 0 SW [kauditd]
1080 root 3020 S -sh
1081 root 2504 R {ps} /bin/busybox /bin/ps
#sestatus -v
root@arm-cortex-a15:~# sestatus -v
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
File contexts:
Controlling terminal: unconfined_u:object_r:user_tty_device_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:bin_t:s0 -> system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0
/lib/libc.so.6 system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0
root@arm-cortex-a15:~# sesearch -T -t login_exec_t
Found 3 semantic te rules:
type_transition rlogind_t login_exec_t : process remote_login_t;
type_transition telnetd_t login_exec_t : process remote_login_t;
type_transition getty_t login_exec_t : process local_login_t;
root@arm-cortex-a15:~# sesearch -T -t getty_exec_t
Found 2 semantic te rules:
type_transition init_t getty_exec_t : process getty_t;
type_transition initrc_t getty_exec_t : process getty_t;
root@arm-cortex-a15:~# grep getty_exec_t /etc/selinux/targeted/contexts/files/file-contexts
/sbin/.*getty -- system_u:object_r:getty_exec_t:s0
root@arm-cortex-a15:~#
policy rules in /etc/selinux/targeted/contexts/files/file-contexts are
/bin/bash -- system_u:object_r:shell_exec_t:s0
/bin/login -- system_u:object_r:login_exec_t:s0
/bin/d?ash -- system_u:object_r:shell_exec_t:s0
/sbin/.*getty -- system_u:object_r:getty_exec_t:s0
As of now I am completely struck. Please help me to resolve this issue.
What modifications are needed to login as root under targeted policy and enforcing mode?
Thanks and Regards,
Srinivas.
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
