On Mon, Jun 27, 2011 at 11:44, Sam Gandhi <samgandhi9@xxxxxxxxx> wrote:
> I have labelled login and sh as shown below.
>
> -rwxr-xr-x 1 25024 Jun 24 22:20 system_u:object_r:login_exec_t
> /bin/login
> -rwxr-xr-x 1 15 Jun 24 18:40 system_u:object_r:bin_t
> /bin/sh
>
> Following is output of ps -Z
> 1 system_u:system_r:init_t S init
> 583 system_u:system_r:local_login_t S login -- root
>
> But when I login I see these messages :
>
> Jan 1 10:00:23 192.168.137.1 kernel: type=1400 audit(23.040:40): avc:
> granted { transition } for pid=596 comm="getty" path="/bin/login"
> dev=ubifs ino=99 scontext=system_u:system_r:initrc_t
> tcontext=system_u:system_r:local_login_t tclass=process
> Jun 28 01:30:17 192.168.137.1 kernel: type=1400
> audit(1309188617.348:46): avc: denied { transition } for pid=833
> comm="login" path="/bin/sh" dev=ubifs ino=93
> scontext=system_u:system_r:local_login_t
> tcontext=root:system_r:initrc_t tclass=process
I believe your "getty" process should be something like "getty_t",
not "initrc_t", so probably you have the wrong label on /sbin/getty.
I don't remember if this is quite the right command, but something
along the lines of "restorecon -RF /" followed by a reboot *should*
fix all of those issues, assuming your policy file_contexts are right.
Cheers,
Kyle Moffett
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
