<div dir="ltr">Hi Daniel,<div><br></div><div><font color="#0000ff">I have checked the file_contexts file </font></div><div><br></div><div><b> #grep :login_exec_t contexts/files/file_contexts</b></div><div>/bin/login<span class="Apple-tab-span" style="white-space:pre"> </span>--<span class="Apple-tab-span" style="white-space:pre"> </span>system_u:object_r:login_exec_t:s0</div><div>/bin/login\.shadow<span class="Apple-tab-span" style="white-space:pre"> </span>--<span class="Apple-tab-span" style="white-space:pre"> </span>system_u:object_r:login_exec_t:s0</div><div>/bin/login\.tinylogin<span class="Apple-tab-span" style="white-space:pre"> </span>--<span class="Apple-tab-span" style="white-space:pre"> </span>system_u:object_r:login_exec_t:s0</div><div>/usr/kerberos/sbin/login\.krb5<span class="Apple-tab-span" style="white-space:pre"> </span>--<span class="Apple-tab-span" style="white-space:pre"> </span>system_u:object_r:login_exec_t:s0</div><div><br></div><div><font color="#0000ff">Now If I run with permissive mode. I Could see below login programs are running</font></div><div><font color="#0000ff">(Here I gave unconfined_r as role and s0 as range)</font></div><div><br></div><div><div><b> 1109 root 3540 S /bin/login --</b></div><div><b> 1111 root 0 SW [kauditd]</b></div><div><b> 1113 root 3020 S -sh</b></div></div><div><b><font color="#0000ff"><br></font></b></div><div><font color="#0000ff">But when I run with enforcing mode I get same error</font></div><div><br></div><div><div style="font-size:12.8000001907349px"><i><b>arm-cortex-a15 login: root</b></i></div><div style="font-size:12.8000001907349px"><i><b>Last login: Tue Aug 18 11:36:58 UTC 2015 on console</b></i></div><div style="font-size:12.8000001907349px"><i><b>Would you like to enter a security context? [N] Y</b></i></div><div style="font-size:12.8000001907349px"><i><b>role: unconfined_r</b></i></div><div style="font-size:12.8000001907349px"><i><b>level: s0</b></i></div><div style="font-size:12.8000001907349px"><i><b>[ 1252.885468] type=1400 audit(1439898856.140:13): avc: denied { transition } for pid=1120 comm="login" path="/bin/bash" dev="mmcblk0" ino=58115 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process</b></i></div><div style="font-size:12.8000001907349px"><i><b>[ 1252.887219] type=1400 audit(1439898856.140:14): avc: denied { transition } for pid=1120 comm="login" path="/bin/bash" dev="mmcblk0" ino=58115 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process</b></i></div><div style="font-size:12.8000001907349px"><i><b>Cannot execute /bin/sh: Permission denied</b></i></div><div style="font-size:12.8000001907349px"><i><b><br></b></i></div><div style="font-size:12.8000001907349px"><i><b>MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15 /dev/console</b></i></div><div style="font-size:12.8000001907349px"><i><b><br></b></i></div><div style="font-size:12.8000001907349px"><i><b>arm-cortex-a15 login:</b></i></div></div><div style="font-size:12.8000001907349px"><i><b><br></b></i></div><div style="font-size:12.8000001907349px"><i><b><br></b></i></div><div style="font-size:12.8000001907349px"><i>Please guide me what is going wrong and how to resolve this issue.</i></div><div style="font-size:12.8000001907349px"><i><br></i></div><div style="font-size:12.8000001907349px"><i>Thanks,</i></div><div style="font-size:12.8000001907349px"><i>Srinivas.</i></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 18, 2015 at 6:52 PM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
What is the path to the login program? What is it labeled? The
problem is login is running with the wrong context.<br>
<br>
It should be labeled login_exec_t<br>
<br>
grep :login_exec_t
/etc/selinux/targeted/contexts/files/file_contexts<br>
/bin/login -- system_u:object_r:login_exec_t:s0<br>
/usr/bin/login -- system_u:object_r:login_exec_t:s0<br>
/usr/kerberos/sbin/login\.krb5 --
system_u:object_r:login_exec_t:s0<br>
<br>
<br>
init_t is supposed to transition to local_login_t when executing the
login program.<div><div class="h5"><br>
<br>
<div>On 08/18/2015 06:17 AM, Srinivasa Rao
Ragolu wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Daniel,
<div><br>
</div>
<div>Thanks for quick reply. Please find first time boot log
with lableling and reboot.</div>
<div><br>
</div>
<div>Also find second time boot log when I created
/.autorelablel.</div>
<div><br>
</div>
<div>Somehow I could not able to login as root. </div>
<div><br>
</div>
<div>Your help is really appriciated.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Srinivas.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Aug 18, 2015 at 6:16 PM, Daniel
J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Looks like you have a
labeling issue.<br>
<br>
touch /.autorelabel; reboot<br>
<br>
Should fix the issues.
<div>
<div><br>
<br>
<br>
<div>On 08/18/2015 04:53 AM, Srinivasa Rao Ragolu
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hi All,
<div><br>
</div>
<div>I have very new to selinux. Today I have
ported selinux to my embedded platform with
targeted policy+enforcing.</div>
<div><br>
</div>
<div>When I try to boot, it completes labeling
filesystem. But I could not able to login using
root.. See my error log...</div>
<div><br>
</div>
<div>
<div><i><b>arm-cortex-a15 login: root</b></i></div>
<div><i><b>Last login: Tue Aug 18 11:36:58 UTC
2015 on console</b></i></div>
<div><i><b>Would you like to enter a security
context? [N] Y</b></i></div>
<div><i><b>role: unconfined_r</b></i></div>
<div><i><b>level: s0</b></i></div>
<div><i><b>[ 1252.885468] type=1400
audit(1439898856.140:13): avc: denied {
transition } for pid=1120 comm="login"
path="/bin/bash" dev="mmcblk0" ino=58115
scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0
tclass=process</b></i></div>
<div><i><b>[ 1252.887219] type=1400
audit(1439898856.140:14): avc: denied {
transition } for pid=1120 comm="login"
path="/bin/bash" dev="mmcblk0" ino=58115
scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0
tclass=process</b></i></div>
<div><i><b>Cannot execute /bin/sh: Permission
denied</b></i></div>
<div><i><b><br>
</b></i></div>
<div><i><b>MontaVista Carrier Grade Linux 7.0.0
arm-cortex-a15 /dev/console</b></i></div>
<div><i><b><br>
</b></i></div>
<div><i><b>arm-cortex-a15 login:</b></i></div>
</div>
<div><i><b><br>
</b></i></div>
<div>Please help me.. How can I solve this issue
and achieve normal boot.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Srinivas.</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<span><font color="#888888">
<pre>--
selinux mailing list
<a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</font></span></blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>--
selinux mailing list
<a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>