Hello Sam !
At a very first sight, I have spotted something...
On 27/06/2011 17:44, Sam Gandhi wrote:
I have labelled login and sh as shown below.
-rwxr-xr-x 1 25024 Jun 24 22:20 system_u:object_r:login_exec_t
/bin/login
-rwxr-xr-x 1 15 Jun 24 18:40 system_u:object_r:bin_t
/bin/sh
Following is output of ps -Z
1 system_u:system_r:init_t S init
583 system_u:system_r:local_login_t S login -- root
But when I login I see these messages :
Jan 1 10:00:23 192.168.137.1 kernel: type=1400 audit(23.040:40): avc:
granted { transition } for pid=596 comm="getty" path="/bin/login"
dev=ubifs ino=99 scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:local_login_t tclass=process
This is one way, granted.
Jun 28 01:30:17 192.168.137.1 kernel: type=1400
audit(1309188617.348:46): avc: denied { transition } for pid=833
comm="login" path="/bin/sh" dev=ubifs ino=93
scontext=system_u:system_r:local_login_t
tcontext=root:system_r:initrc_t tclass=process
Now this is the other way, there's no rule !
I do see following statement in policy.conf (monolithic)
allow local_login_t initrc_t:process transition;
Perhaps, you should try adding the other rule ?
allow initrc_t local_login_t:process transition;
[cut]
Can someone PLEASE help me understand why login processes is not being
allowed to transition to /bin/sh and what do I need to do fix this?
Regards,
-Sam
Hope it helps.
Regards,
Guido
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
