<div dir="ltr">Hi Daniel,<div><br></div><div>Please see the output of security contexts. Also no usr is mounted.</div><div><br></div><div><div>root@arm-cortex-a15:~# ls -lZ /bin/login*</div><div><font color="#0000ff">lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 17 Aug 18 15:06 /bin/login -> /bin/login.shadow</font></div><div><font color="#0000ff">-rwxr-xr-x. 1 root root system_u:object_r:login_exec_t:s0 31756 Aug 12 07:18 /bin/login.shadow</font></div><div>root@arm-cortex-a15:~# mount</div><div><font color="#0000ff">/dev/root on / type ext2 (rw,relatime,seclabel)</font></div><div><font color="#0000ff">sysfs on /sys type sysfs (rw,relatime,seclabel)</font></div><div><font color="#0000ff">selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)</font></div><div><font color="#0000ff">proc on /proc type proc (rw,relatime)</font></div><div><font color="#0000ff">none on /dev type devtmpfs (rw,relatime,seclabel,size=514956k,nr_inodes=128739,mode=755)</font></div><div><font color="#0000ff">devpts on /dev/pts type devpts (rw,relatime,seclabel,gid=5,mode=620,ptmxmode=000)</font></div><div><font color="#0000ff">tmpfs on /var/volatile type tmpfs (rw,relatime,seclabel)</font></div><div><font color="#0000ff">tmpfs on /media/ram type tmpfs (rw,relatime,seclabel)</font></div></div><div><br></div><div><br></div><div>please guide if you find an clue from above output</div><div><br></div><div>Thanks,</div><div>Srinivas.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 19, 2015 at 12:38 AM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
ls -lZ /usr/bin/login*<br>
<br>
By any chance is the /usr directory mounted NOSUID?<div><div class="h5"><br>
<br>
<div>On 08/18/2015 07:58 AM, Srinivasa Rao
Ragolu wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>I am building for embedded platform. Could not able to get
exact version. But can provide info about recipe in yocto.</div>
<div><br>
</div>
<div><a href="http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/" target="_blank">http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/</a><br>
</div>
<div><a href="http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb" target="_blank">http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb</a><br>
</div>
<div><br>
</div>
<div>Any pointers please?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Srinivas.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Aug 18, 2015 at 8:17 PM,
Miroslav Grepl <span dir="ltr"><<a href="mailto:mgrepl@redhat.com" target="_blank">mgrepl@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 08/18/2015 04:37 PM, Srinivasa Rao Ragolu
wrote:<br>
> Hi Daniel,<br>
><br>
</span><span>> I have checked the file_contexts
file<br>
><br>
</span>> * #grep :login_exec_t
contexts/files/file_contexts*<br>
> /bin/login--system_u:object_r:login_exec_t:s0<br>
> /bin/login\.shadow--system_u:object_r:login_exec_t:s0<br>
>
/bin/login\.tinylogin--system_u:object_r:login_exec_t:s0<br>
>
/usr/kerberos/sbin/login\.krb5--system_u:object_r:login_exec_t:s0<br>
<span>><br>
> Now If I run with permissive mode. I Could see below
login programs are<br>
> running<br>
> (Here I gave unconfined_r as role and s0 as range)<br>
><br>
</span>> * 1109 root 3540 S /bin/login --*<br>
> * 1111 root 0 SW [kauditd]*<br>
> * 1113 root 3020 S -sh*<br>
> *<br>
> *<br>
<span>> But when I run with enforcing mode I get
same error<br>
><br>
</span>> /*arm-cortex-a15 login: root*/<br>
> /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/<br>
> /*Would you like to enter a security context? [N] Y*/<br>
> /*role: unconfined_r*/<br>
> /*level: s0*/<br>
> /*[ 1252.885468] type=1400 audit(1439898856.140:13):
avc: denied {<br>
<span>> transition } for pid=1120 comm="login"
path="/bin/bash" dev="mmcblk0"<br>
> ino=58115 scontext=system_u:system_r:init_t:s0<br>
</span>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0
tclass=process*/<br>
> /*[ 1252.887219] type=1400 audit(1439898856.140:14):
avc: denied {<br>
<span>> transition } for pid=1120 comm="login"
path="/bin/bash" dev="mmcblk0"<br>
> ino=58115 scontext=system_u:system_r:init_t:s0<br>
</span>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0
tclass=process*/<br>
> /*Cannot execute /bin/sh: Permission denied*/<br>
> /*<br>
> */<br>
> /*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15
/dev/console*/<br>
> /*<br>
> */<br>
> /*arm-cortex-a15 login:*/<br>
> /*<br>
> */<br>
> /*<br>
> */<br>
> /Please guide me what is going wrong and how to resolve
this issue./<br>
> /<br>
> /<br>
> /Thanks,/<br>
> /Srinivas./<br>
<span>><br>
> On Tue, Aug 18, 2015 at 6:52 PM, Daniel J Walsh <<a href="mailto:dwalsh@redhat.com" target="_blank"></a><a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a><br>
</span><span>> <mailto:<a href="mailto:dwalsh@redhat.com" target="_blank"></a><a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>>>
wrote:<br>
><br>
> What is the path to the login program? What is
it labeled? The<br>
> problem is login is running with the wrong
context.<br>
><br>
> It should be labeled login_exec_t<br>
><br>
> grep :login_exec_t
/etc/selinux/targeted/contexts/files/file_contexts<br>
> /bin/login --
system_u:object_r:login_exec_t:s0<br>
> /usr/bin/login --
system_u:object_r:login_exec_t:s0<br>
> /usr/kerberos/sbin/login\.krb5 --<br>
> system_u:object_r:login_exec_t:s0<br>
><br>
><br>
> init_t is supposed to transition to local_login_t
when executing the<br>
> login program.<br>
><br>
><br>
> On 08/18/2015 06:17 AM, Srinivasa Rao Ragolu
wrote:<br>
>> Hi Daniel,<br>
>><br>
>> Thanks for quick reply. Please find first
time boot log with<br>
>> lableling and reboot.<br>
>><br>
>> Also find second time boot log when I created
/.autorelablel.<br>
>><br>
>> Somehow I could not able to login as root.<br>
>><br>
>> Your help is really appriciated.<br>
>><br>
>> Thanks,<br>
>> Srinivas.<br>
>><br>
>> On Tue, Aug 18, 2015 at 6:16 PM, Daniel J
Walsh <<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a><br>
</span><span>>> <mailto:<a href="mailto:dwalsh@redhat.com" target="_blank"></a><a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>>>
wrote:<br>
>><br>
>> Looks like you have a labeling issue.<br>
>><br>
>> touch /.autorelabel; reboot<br>
>><br>
>> Should fix the issues.<br>
>><br>
>><br>
>><br>
>> On 08/18/2015 04:53 AM, Srinivasa Rao
Ragolu wrote:<br>
>>> Hi All,<br>
>>><br>
>>> I have very new to selinux. Today I
have ported selinux to my<br>
>>> embedded platform with targeted
policy+enforcing.<br>
>>><br>
>>> When I try to boot, it completes
labeling filesystem. But I<br>
>>> could not able to login using root..
See my error log...<br>
>>><br>
</span>>>> /*arm-cortex-a15 login: root*/<br>
>>> /*Last login: Tue Aug 18 11:36:58 UTC
2015 on console*/<br>
>>> /*Would you like to enter a security
context? [N] Y*/<br>
>>> /*role: unconfined_r*/<br>
>>> /*level: s0*/<br>
>>> /*[ 1252.885468] type=1400
audit(1439898856.140:13): avc:<br>
<span>>>> denied { transition }
for pid=1120 comm="login"<br>
>>> path="/bin/bash" dev="mmcblk0"
ino=58115<br>
>>> scontext=system_u:system_r:init_t:s0<br>
>>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0<br>
</span>>>> tclass=process*/<br>
>>> /*[ 1252.887219] type=1400
audit(1439898856.140:14): avc:<br>
<span>>>> denied { transition }
for pid=1120 comm="login"<br>
>>> path="/bin/bash" dev="mmcblk0"
ino=58115<br>
>>> scontext=system_u:system_r:init_t:s0<br>
>>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0<br>
</span>>>> tclass=process*/<br>
>>> /*Cannot execute /bin/sh: Permission
denied*/<br>
>>> /*<br>
>>> */<br>
>>> /*MontaVista Carrier Grade Linux 7.0.0
arm-cortex-a15<br>
>>> /dev/console*/<br>
>>> /*<br>
>>> */<br>
>>> /*arm-cortex-a15 login:*/<br>
>>> /*<br>
>>> */<br>
<span>>>> Please help me.. How can
I solve this issue and achieve<br>
>>> normal boot.<br>
>>><br>
>>><br>
>>> Thanks,<br>
>>> Srinivas.<br>
>>><br>
>>><br>
>>> --<br>
>>> selinux mailing list<br>
>>> <a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a><br>
</span>>>> <mailto:<a href="mailto:selinux@lists.fedoraproject.org" target="_blank"></a><a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>><br>
<span>>>> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" rel="noreferrer" target="_blank"></a><a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
>><br>
>><br>
>><br>
>><br>
>> --<br>
>> selinux mailing list<br>
>> <a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a><br>
</span>>> <mailto:<a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>><br>
<span>>> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" rel="noreferrer" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
><br>
><br>
><br>
><br>
> --<br>
> selinux mailing list<br>
> <a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" rel="noreferrer" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
><br>
<br>
</span>What does<br>
<br>
$ rpm -q selinux-policy-targeted<br>
<br>
?<br>
<br>
Also could you try to reinstall the selinux-policy-targeted
to see if it<br>
blows up?<br>
<span><font color="#888888"><br>
--<br>
Miroslav Grepl<br>
Senior Software Engineer, SELinux Solutions<br>
Red Hat, Inc.<br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>--
selinux mailing list
<a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>