On 08/25/2015 02:36 PM, Srinivasa Rao Ragolu wrote: > Hi All, > > I am new to selinux stuff and I am trying to port selinux to embedded > platform using meta-selinux layer from yocto project > (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/?h=dizzy) > > *Problem:* > > Not able to login with root user. root user is not acceptable while > booting in enforcing mode of targeted policy. > > *Observations:* > > with permissive mode, was able to login and captured below details. > Using sysvinit as init manager. > * > * > *#ps* > 714 root 4920 S /lib/udev/udevd -d > 825 root 4916 S /lib/udev/udevd -d > 826 root 4916 S /lib/udev/udevd -d > 1022 root 2172 S {udhcpc} /bin/busybox /sbin/udhcpc -R -n -p > /var/run > 1039 messageb 11204 S /usr/bin/dbus-daemon --system > 1043 distcc 3124 S N /usr/bin/distccd > --pid-file=/var/run/distcc.pid --da > 1044 distcc 3124 S N /usr/bin/distccd > --pid-file=/var/run/distcc.pid --da > 1051 root 2172 S {syslogd} /bin/busybox /sbin/syslogd -n -O > /var/log/ > 1054 root 2172 S {klogd} /bin/busybox /sbin/klogd -n > 1057 distcc 3124 S N /usr/bin/distccd > --pid-file=/var/run/distcc.pid --da > 1060 avahi 3172 S avahi-daemon: running [arm-cortex-a15.local] > 1061 avahi 3172 S avahi-daemon: chroot helper > 1072 distcc 3124 S N /usr/bin/distccd > --pid-file=/var/run/distcc.pid --da > 1076 root 3544 S /bin/login -- > 1078 root 0 SW [kauditd] > 1080 root 3020 S -sh > 1081 root 2504 R {ps} /bin/busybox /bin/ps > > *#sestatus -v* > root@arm-cortex-a15:~# sestatus -v > SELinux status: enabled > SELinuxfs mount: /sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: targeted > Current mode: permissive > Mode from config file: permissive > Policy MLS status: enabled > Policy deny_unknown status: allowed > Max kernel policy version: 28 > > Process contexts: > Current context: > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > Init context: system_u:system_r:init_t:s0 > > File contexts: > Controlling terminal: unconfined_u:object_r:user_tty_device_t:s0 > /etc/passwd system_u:object_r:etc_t:s0 > /etc/shadow system_u:object_r:shadow_t:s0 > /bin/bash system_u:object_r:shell_exec_t:s0 > /bin/login system_u:object_r:bin_t:s0 -> > system_u:object_r:login_exec_t:s0 > /bin/sh system_u:object_r:bin_t:s0 -> > system_u:object_r:shell_exec_t:s0 > /sbin/init system_u:object_r:bin_t:s0 -> > system_u:object_r:init_exec_t:s0 > /lib/libc.so.6 system_u:object_r:lib_t:s0 -> > system_u:object_r:lib_t:s0 > > > *root@arm-cortex-a15:~# sesearch -T -t login_exec_t * > Found 3 semantic te rules: > type_transition rlogind_t login_exec_t : process remote_login_t; > type_transition telnetd_t login_exec_t : process remote_login_t; > type_transition getty_t login_exec_t : process local_login_t; > > > *root@arm-cortex-a15:~# sesearch -T -t getty_exec_t * > Found 2 semantic te rules: > type_transition init_t getty_exec_t : process getty_t; > type_transition initrc_t getty_exec_t : process getty_t; > > > *root@arm-cortex-a15:~# grep getty_exec_t > /etc/selinux/targeted/contexts/files/file-contexts* > /sbin/.*getty--system_u:object_r:getty_exec_t:s0 > root@arm-cortex-a15:~# > > policy rules in /etc/selinux/targeted/contexts/files/file-contexts are > > /bin/bash -- system_u:object_r:shell_exec_t:s0 > /bin/login -- system_u:object_r:login_exec_t:s0 > /bin/d?ash -- system_u:object_r:shell_exec_t:s0 > /sbin/.*getty -- system_u:object_r:getty_exec_t:s0 > > As of now I am completely struck. Please help me to resolve this issue. > What modifications are needed to login as root under targeted policy and > enforcing mode? > > Thanks and Regards, > Srinivas. > > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > Are there AVCs in permssive mode? Re-test and run # ausearch -m avc,user_avc -ts recent Also try to check /var/log/secure. -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
