Re: MLS issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



so this time it labelled the system correctly now i was missing the directory it didn't give me any error that selinux is preventing but it generate a log 

type=AVC msg=audit(1477527661.560:86): avc:  denied  { remove_name } for  pid=1382 comm="rm" name=".autorelabel" dev="dm-0" ino=274627 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir

rest of the directory are now correctly labelled and but issue remain the same it didn't allow me to login.....


On Thu, Oct 27, 2016 at 4:08 AM, Harry Waddell <waddell@xxxxxxxxxxxxxxxx> wrote:
On Thu, 27 Oct 2016 01:54:02 +0500
Kashif ali <kashif.ali.9498@xxxxxxxxx> wrote:

> i'm using centos server and i'm logging on system locally there is no ssh
> and another thing i have checked files are labelled with unlabelled_t, and
> i have installed mlc policy i have checked the logs in audit.log file
>
> type=AVC msg=audit(1477481078.990:79): avc:  denied  { read } for  pid=1039
> comm="audispd" name="ld.so.cache" dev="dm-0" ino=67387328
> scontext=system_u:system_r:audisp_t:s15:c0.c1023
> tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
>
> these kinds of logs are generated
>
> On Thu, Oct 27, 2016 at 1:49 AM, Harry Waddell <waddell@xxxxxxxxxxxxxxxx>
> wrote:
>
> >
> > Again, you're being far too vague. Can you login in text mode as root
> > on the system console? Or are you trying to login to a desktop with a
> > window
> > manage, e.g. via xdm? These are completely different things.
> >
> > 1. Make sure you have the current and correct rpms installed, e.g. the mls
> > policy.
> >
> > 2. Relabel everything again and make sure it completes without errors.
> >
> > 3. If you still can't login in text mode as root from the console, look at
> > the
> > specific causes listed in the auditd log. If you haven't already done so,
> > I would suggest you become good friends with audit2allow, etc...
> >
> > HW
> >
> >
> > On Thu, 27 Oct 2016 01:32:36 +0500
> > Kashif ali <kashif.ali.9498@xxxxxxxxx> wrote:
> >
> > > i am logging on local machine directly and if i put msl in permissive
> > mode
> > > it will just generate logs for the policy violation which is expected in
> > > permissive but if i am unable to use mls in enforcing mode then it is
> > quit
> > > wrong behavior
> > >
> > > On Thu, Oct 27, 2016 at 1:27 AM, Harry Waddell <waddell@xxxxxxxxxxxxxxxx
> > >
> > > wrote:
> > >
> > > > On Wed, 26 Oct 2016 10:17:27 -0400
> > > > Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> > > >
> > > > > On 10/26/2016 03:47 AM, Kashif ali wrote:
> > > > > > Hi
> > > > > >    Hope you're fine i know your busy but i need your little time
> > if you
> > > > > > can manage that will be great for me.
> > > > > > i'm facing an issue in MLS Policy of Selinux when i relabel the
> > system
> > > > > > and reboot it it won't allow me to login(i'm signing in my machine
> > ) i
> > > > > > used these commands
> > > > > >  * set the selinux to enforcing
> > > > > >  * touch ./autorelabel for relabeling the system
> > > > > >  * and then reboot the system and it won't allow me to login
> > > > > >
> > > > > > Kindly help in this problem because i'm stuck in it for a while
> > and it
> > > > > > will be very greatful. Thanks
> > > > >
> > > > > Generally it is a good idea to first bring up the system in
> > permissive
> > > > > when switching to MLS, and check that there are no residual denials
> > or
> > > > > other SELinux errors that need to be addressed before putting it into
> > > > > enforcing mode.  We would need to see the actual error messages to
> > help
> > > > > debug further.  And it would help to specify your specific
> > distribution
> > > > > and version.
> > > > >
> > > >
> > > > Agreed. At this point, I think the only recourse for Kashif is to
> > > > boot the system into rescue mode, e.g. using the install dvd,
> > > > mount the filesystem, and edit the /etc/sysconfig/selinux file to
> > > > change enforcing to permissive.
> > > >
> > > > Saying "it won't allow me to login" is too vague. Is "me" root?
> > > > Is login from the console of via ssh? It could be that a boolean
> > > > needs to be changed, but that's just speculation at this point.
> > > > Once it's in permissive mode, hopefully the problem will be somewhat
> > > > obvious.
> > > >
> > > >
> > > >
> > > >
> > > >
> >

I apologize for top-posting earlier. It was momentary insanity on my part.

Look at the tcontext in the error message. ld.so.conf is unlabeled.

I'm not sure what it should be on your system, e.g. ld_so_cache_t, but I
strongly suspect unlabeled_t is not correct. You've probably skipped a step somewhere or
something failed without being noticed during setup.

I suspect you made a mistake here:

> touch ./autorelabel for relabeling the system

It's "touch /.autorelabel", i.e. the dot comes AFTER the / NOT BEFORE.

Relabel everything. If that doesn't work, consider starting over, paying close attention
to whatever instructions or tutorial you are working from, e.g.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/enabling-mls-in-selinux.html

HW



_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux