so this time it labelled the system correctly now i was missing the directory it didn't give me any error that selinux is preventing but it generate a log
type=AVC msg=audit(1477527661.560:86): avc: denied { remove_name } for pid=1382 comm="rm" name=".autorelabel" dev="dm-0" ino=274627 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir
rest of the directory are now correctly labelled and but issue remain the same it didn't allow me to login.....
On Thu, Oct 27, 2016 at 4:08 AM, Harry Waddell <waddell@xxxxxxxxxxxxxxxx> wrote:
On Thu, 27 Oct 2016 01:54:02 +0500
I apologize for top-posting earlier. It was momentary insanity on my part.Kashif ali <kashif.ali.9498@xxxxxxxxx> wrote:
> i'm using centos server and i'm logging on system locally there is no ssh
> and another thing i have checked files are labelled with unlabelled_t, and
> i have installed mlc policy i have checked the logs in audit.log file
>
> type=AVC msg=audit(1477481078.990:79): avc: denied { read } for pid=1039
> comm="audispd" name="ld.so.cache" dev="dm-0" ino=67387328
> scontext=system_u:system_r:audisp_t:s15:c0.c1023
> tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
>
> these kinds of logs are generated
>
> On Thu, Oct 27, 2016 at 1:49 AM, Harry Waddell <waddell@xxxxxxxxxxxxxxxx>
> wrote:
>
> >
> > Again, you're being far too vague. Can you login in text mode as root
> > on the system console? Or are you trying to login to a desktop with a
> > window
> > manage, e.g. via xdm? These are completely different things.
> >
> > 1. Make sure you have the current and correct rpms installed, e.g. the mls
> > policy.
> >
> > 2. Relabel everything again and make sure it completes without errors.
> >
> > 3. If you still can't login in text mode as root from the console, look at
> > the
> > specific causes listed in the auditd log. If you haven't already done so,
> > I would suggest you become good friends with audit2allow, etc...
> >
> > HW
> >
> >
> > On Thu, 27 Oct 2016 01:32:36 +0500
> > Kashif ali <kashif.ali.9498@xxxxxxxxx> wrote:
> >
> > > i am logging on local machine directly and if i put msl in permissive
> > mode
> > > it will just generate logs for the policy violation which is expected in
> > > permissive but if i am unable to use mls in enforcing mode then it is
> > quit
> > > wrong behavior
> > >
> > > On Thu, Oct 27, 2016 at 1:27 AM, Harry Waddell <waddell@xxxxxxxxxxxxxxxx
> > >
> > > wrote:
> > >
> > > > On Wed, 26 Oct 2016 10:17:27 -0400
> > > > Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> > > >
> > > > > On 10/26/2016 03:47 AM, Kashif ali wrote:
> > > > > > Hi
> > > > > > Hope you're fine i know your busy but i need your little time
> > if you
> > > > > > can manage that will be great for me.
> > > > > > i'm facing an issue in MLS Policy of Selinux when i relabel the
> > system
> > > > > > and reboot it it won't allow me to login(i'm signing in my machine
> > ) i
> > > > > > used these commands
> > > > > > * set the selinux to enforcing
> > > > > > * touch ./autorelabel for relabeling the system
> > > > > > * and then reboot the system and it won't allow me to login
> > > > > >
> > > > > > Kindly help in this problem because i'm stuck in it for a while
> > and it
> > > > > > will be very greatful. Thanks
> > > > >
> > > > > Generally it is a good idea to first bring up the system in
> > permissive
> > > > > when switching to MLS, and check that there are no residual denials
> > or
> > > > > other SELinux errors that need to be addressed before putting it into
> > > > > enforcing mode. We would need to see the actual error messages to
> > help
> > > > > debug further. And it would help to specify your specific
> > distribution
> > > > > and version.
> > > > >
> > > >
> > > > Agreed. At this point, I think the only recourse for Kashif is to
> > > > boot the system into rescue mode, e.g. using the install dvd,
> > > > mount the filesystem, and edit the /etc/sysconfig/selinux file to
> > > > change enforcing to permissive.
> > > >
> > > > Saying "it won't allow me to login" is too vague. Is "me" root?
> > > > Is login from the console of via ssh? It could be that a boolean
> > > > needs to be changed, but that's just speculation at this point.
> > > > Once it's in permissive mode, hopefully the problem will be somewhat
> > > > obvious.
> > > >
> > > >
> > > >
> > > >
> > > >
> >
Look at the tcontext in the error message. ld.so.conf is unlabeled.
I'm not sure what it should be on your system, e.g. ld_so_cache_t, but I
strongly suspect unlabeled_t is not correct. You've probably skipped a step somewhere or
something failed without being noticed during setup.
I suspect you made a mistake here:
> touch ./autorelabel for relabeling the system
It's "touch /.autorelabel", i.e. the dot comes AFTER the / NOT BEFORE.
Relabel everything. If that doesn't work, consider starting over, paying close attention
to whatever instructions or tutorial you are working from, e.g.
https://access.redhat.com/documentation/en-US/Red_Hat_ Enterprise_Linux/6/html/ Security-Enhanced_Linux/ enabling-mls-in-selinux.html
HW
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
