<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 08/19/2015 11:51 PM, Srinivasa Rao
Ragolu wrote:<br>
</div>
<blockquote
cite="mid:CAH4+OFpDq2ppGMqLomLtHV8=XMUrVnCGBxbLArHMn1h9=RRgBw@mail.gmail.com"
type="cite">
<div dir="ltr">Hi All,
<div><br>
</div>
<div>Please find the security contexts of necessary files</div>
<div><br>
</div>
<div>
<div>root@arm-cortex-a15:~# sestatus -v</div>
<div>SELinux status: enabled</div>
<div>SELinuxfs mount: /sys/fs/selinux</div>
<div>SELinux root directory: /etc/selinux</div>
<div>Loaded policy name: targeted</div>
<div>Current mode: permissive</div>
<div>Mode from config file: permissive</div>
<div>Policy MLS status: enabled</div>
<div>Policy deny_unknown status: allowed</div>
<div>Max kernel policy version: 28</div>
<div><br>
</div>
<div>Process contexts:</div>
<div>Current context:
unconfined_u:unconfined_r:unconfined_t:s0</div>
<div>Init context:
system_u:system_r:init_t:s0</div>
<div><br>
</div>
<div>File contexts:</div>
<div>Controlling terminal:
unconfined_u:object_r:user_tty_device_t:s0</div>
<div>/etc/passwd
system_u:object_r:etc_t:s0</div>
<div>/etc/shadow
system_u:object_r:shadow_t:s0</div>
<div>/bin/bash
system_u:object_r:shell_exec_t:s0</div>
<div>/bin/login
system_u:object_r:bin_t:s0 ->
system_u:object_r:login_exec_t:s0</div>
<div>/bin/sh
system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0</div>
<div>/sbin/init
system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0</div>
<div>/lib/libc.so.6
system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0</div>
</div>
<div><br>
</div>
<div>Do I need to change any of the file contexts to avoid the
issue of login failure?</div>
<div><br>
</div>
</div>
</blockquote>
The problem is the login program is not transitioning from init_t to
local_login_t. <br>
<br>
You never answered the question about what version of selinux-policy<br>
<br>
rpm -q selinux-policy<br>
<br>
Is this system using systemd?<br>
<br>
Are other programs running in different context beside kernel_t and
init_t?<br>
<blockquote
cite="mid:CAH4+OFpDq2ppGMqLomLtHV8=XMUrVnCGBxbLArHMn1h9=RRgBw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Thanks,</div>
<div>Srinivas.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Aug 19, 2015 at 6:05 PM,
Srinivasa Rao Ragolu <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:sragolu@mvista.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:sragolu@mvista.com">sragolu@mvista.com</a></a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">As I could not able to login, changed
/etc/selinux/config from enforcing to permissive. Executed
above commands.</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Aug 19, 2015 at 6:04
PM, Srinivasa Rao Ragolu <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:sragolu@mvista.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:sragolu@mvista.com">sragolu@mvista.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi Daniel,
<div><br>
</div>
<div>Please see the output of security contexts.
Also no usr is mounted.</div>
<div><br>
</div>
<div>
<div>root@arm-cortex-a15:~# ls -lZ /bin/login*</div>
<div><font color="#0000ff">lrwxrwxrwx. 1 root
root system_u:object_r:bin_t:s0
17 Aug 18 15:06 /bin/login ->
/bin/login.shadow</font></div>
<div><font color="#0000ff">-rwxr-xr-x. 1 root
root system_u:object_r:login_exec_t:s0
31756 Aug 12 07:18 /bin/login.shadow</font></div>
<div>root@arm-cortex-a15:~# mount</div>
<div><font color="#0000ff">/dev/root on / type
ext2 (rw,relatime,seclabel)</font></div>
<div><font color="#0000ff">sysfs on /sys type
sysfs (rw,relatime,seclabel)</font></div>
<div><font color="#0000ff">selinuxfs on
/sys/fs/selinux type selinuxfs
(rw,relatime)</font></div>
<div><font color="#0000ff">proc on /proc type
proc (rw,relatime)</font></div>
<div><font color="#0000ff">none on /dev type
devtmpfs
(rw,relatime,seclabel,size=514956k,nr_inodes=128739,mode=755)</font></div>
<div><font color="#0000ff">devpts on /dev/pts
type devpts
(rw,relatime,seclabel,gid=5,mode=620,ptmxmode=000)</font></div>
<div><font color="#0000ff">tmpfs on
/var/volatile type tmpfs
(rw,relatime,seclabel)</font></div>
<div><font color="#0000ff">tmpfs on /media/ram
type tmpfs (rw,relatime,seclabel)</font></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>please guide if you find an clue from above
output</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Srinivas.</div>
<div><br>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Aug 19,
2015 at 12:38 AM, Daniel J Walsh <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:dwalsh@redhat.com"
target="_blank">dwalsh@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
ls -lZ /usr/bin/login*<br>
<br>
By any chance is the /usr directory
mounted NOSUID?
<div>
<div><br>
<br>
<div>On 08/18/2015 07:58 AM,
Srinivasa Rao Ragolu wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>I am building for
embedded platform. Could not
able to get exact version.
But can provide info about
recipe in yocto.</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/"
target="_blank">http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/</a><br>
</div>
<div><a moz-do-not-send="true"
href="http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb"
target="_blank">http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb</a><br>
</div>
<div><br>
</div>
<div>Any pointers please?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Srinivas.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Tue, Aug 18, 2015 at 8:17
PM, Miroslav Grepl <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mgrepl@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mgrepl@redhat.com">mgrepl@redhat.com</a></a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"><span>On
08/18/2015 04:37 PM,
Srinivasa Rao Ragolu
wrote:<br>
> Hi Daniel,<br>
><br>
</span><span>> I have
checked the
file_contexts file<br>
><br>
</span>> * #grep
:login_exec_t
contexts/files/file_contexts*<br>
>
/bin/login--system_u:object_r:login_exec_t:s0<br>
>
/bin/login\.shadow--system_u:object_r:login_exec_t:s0<br>
>
/bin/login\.tinylogin--system_u:object_r:login_exec_t:s0<br>
>
/usr/kerberos/sbin/login\.krb5--system_u:object_r:login_exec_t:s0<br>
<span>><br>
> Now If I run with
permissive mode. I Could
see below login programs
are<br>
> running<br>
> (Here I gave
unconfined_r as role and
s0 as range)<br>
><br>
</span>> * 1109 root
3540 S /bin/login --*<br>
> * 1111 root 0
SW [kauditd]*<br>
> * 1113 root 3020
S -sh*<br>
> *<br>
> *<br>
<span>> But when I run
with enforcing mode I
get same error<br>
><br>
</span>>
/*arm-cortex-a15 login:
root*/<br>
> /*Last login: Tue Aug
18 11:36:58 UTC 2015 on
console*/<br>
> /*Would you like to
enter a security context?
[N] Y*/<br>
> /*role:
unconfined_r*/<br>
> /*level: s0*/<br>
> /*[ 1252.885468]
type=1400
audit(1439898856.140:13):
avc: denied {<br>
<span>> transition }
for pid=1120
comm="login"
path="/bin/bash"
dev="mmcblk0"<br>
> ino=58115
scontext=system_u:system_r:init_t:s0<br>
</span>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0
tclass=process*/<br>
> /*[ 1252.887219]
type=1400
audit(1439898856.140:14):
avc: denied {<br>
<span>> transition }
for pid=1120
comm="login"
path="/bin/bash"
dev="mmcblk0"<br>
> ino=58115
scontext=system_u:system_r:init_t:s0<br>
</span>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0
tclass=process*/<br>
> /*Cannot execute
/bin/sh: Permission
denied*/<br>
> /*<br>
> */<br>
> /*MontaVista Carrier
Grade Linux 7.0.0
arm-cortex-a15
/dev/console*/<br>
> /*<br>
> */<br>
> /*arm-cortex-a15
login:*/<br>
> /*<br>
> */<br>
> /*<br>
> */<br>
> /Please guide me what
is going wrong and how to
resolve this issue./<br>
> /<br>
> /<br>
> /Thanks,/<br>
> /Srinivas./<br>
<span>><br>
> On Tue, Aug 18,
2015 at 6:52 PM, Daniel
J Walsh <<a
moz-do-not-send="true"
href="mailto:dwalsh@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a></a><br>
</span><span>>
<mailto:<a
moz-do-not-send="true"
href="mailto:dwalsh@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a></a>>>
wrote:<br>
><br>
> What is the
path to the login
program? What is it
labeled? The<br>
> problem is
login is running with
the wrong context.<br>
><br>
> It should be
labeled login_exec_t<br>
><br>
> grep
:login_exec_t
/etc/selinux/targeted/contexts/files/file_contexts<br>
> /bin/login
--
system_u:object_r:login_exec_t:s0<br>
> /usr/bin/login
--
system_u:object_r:login_exec_t:s0<br>
>
/usr/kerberos/sbin/login\.krb5
--<br>
>
system_u:object_r:login_exec_t:s0<br>
><br>
><br>
> init_t is
supposed to transition
to local_login_t when
executing the<br>
> login program.<br>
><br>
><br>
> On 08/18/2015
06:17 AM, Srinivasa Rao
Ragolu wrote:<br>
>> Hi Daniel,<br>
>><br>
>> Thanks for
quick reply. Please find
first time boot log with<br>
>> lableling
and reboot.<br>
>><br>
>> Also find
second time boot log
when I created
/.autorelablel.<br>
>><br>
>> Somehow I
could not able to login
as root.<br>
>><br>
>> Your help
is really appriciated.<br>
>><br>
>> Thanks,<br>
>> Srinivas.<br>
>><br>
>> On Tue, Aug
18, 2015 at 6:16 PM,
Daniel J Walsh <<a
moz-do-not-send="true"
href="mailto:dwalsh@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a></a><br>
</span><span>>>
<mailto:<a
moz-do-not-send="true"
href="mailto:dwalsh@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a></a>>>
wrote:<br>
>><br>
>> Looks
like you have a labeling
issue.<br>
>><br>
>> touch
/.autorelabel; reboot<br>
>><br>
>> Should
fix the issues.<br>
>><br>
>><br>
>><br>
>> On
08/18/2015 04:53 AM,
Srinivasa Rao Ragolu
wrote:<br>
>>> Hi
All,<br>
>>><br>
>>> I
have very new to
selinux. Today I have
ported selinux to my<br>
>>>
embedded platform with
targeted
policy+enforcing.<br>
>>><br>
>>>
When I try to boot, it
completes labeling
filesystem. But I<br>
>>>
could not able to login
using root.. See my
error log...<br>
>>><br>
</span>>>>
/*arm-cortex-a15 login:
root*/<br>
>>>
/*Last login: Tue Aug 18
11:36:58 UTC 2015 on
console*/<br>
>>>
/*Would you like to enter
a security context? [N]
Y*/<br>
>>>
/*role: unconfined_r*/<br>
>>>
/*level: s0*/<br>
>>> /*[
1252.885468] type=1400
audit(1439898856.140:13):
avc:<br>
<span>>>>
denied { transition }
for pid=1120
comm="login"<br>
>>>
path="/bin/bash"
dev="mmcblk0" ino=58115<br>
>>>
scontext=system_u:system_r:init_t:s0<br>
>>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0<br>
</span>>>>
tclass=process*/<br>
>>> /*[
1252.887219] type=1400
audit(1439898856.140:14):
avc:<br>
<span>>>>
denied { transition }
for pid=1120
comm="login"<br>
>>>
path="/bin/bash"
dev="mmcblk0" ino=58115<br>
>>>
scontext=system_u:system_r:init_t:s0<br>
>>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0<br>
</span>>>>
tclass=process*/<br>
>>>
/*Cannot execute /bin/sh:
Permission denied*/<br>
>>> /*<br>
>>> */<br>
>>>
/*MontaVista Carrier
Grade Linux 7.0.0
arm-cortex-a15<br>
>>>
/dev/console*/<br>
>>> /*<br>
>>> */<br>
>>>
/*arm-cortex-a15 login:*/<br>
>>> /*<br>
>>> */<br>
<span>>>>
Please help me.. How
can I solve this issue
and achieve<br>
>>>
normal boot.<br>
>>><br>
>>><br>
>>>
Thanks,<br>
>>>
Srinivas.<br>
>>><br>
>>><br>
>>> --<br>
>>>
selinux mailing list<br>
>>> <a
moz-do-not-send="true"
href="mailto:selinux@lists.fedoraproject.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a></a><br>
</span>>>>
<mailto:<a
moz-do-not-send="true"
href="mailto:selinux@lists.fedoraproject.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a></a>><br>
<span>>>>
<a
moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/selinux"
target="_blank"><a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></a><br>
>><br>
>><br>
>><br>
>><br>
>> --<br>
>> selinux
mailing list<br>
>> <a
moz-do-not-send="true"
href="mailto:selinux@lists.fedoraproject.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a></a><br>
</span>>>
<mailto:<a
moz-do-not-send="true"
href="mailto:selinux@lists.fedoraproject.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a></a>><br>
<span>>> <a
moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/selinux"
rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></a><br>
><br>
><br>
><br>
><br>
> --<br>
> selinux mailing
list<br>
> <a
moz-do-not-send="true"
href="mailto:selinux@lists.fedoraproject.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a></a><br>
> <a
moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/selinux"
rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></a><br>
><br>
<br>
</span>What does<br>
<br>
$ rpm -q
selinux-policy-targeted<br>
<br>
?<br>
<br>
Also could you try to
reinstall the
selinux-policy-targeted to
see if it<br>
blows up?<br>
<span><font
color="#888888"><br>
--<br>
Miroslav Grepl<br>
Senior Software
Engineer, SELinux
Solutions<br>
Red Hat, Inc.<br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>--
selinux mailing list
<a moz-do-not-send="true" href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>
<a moz-do-not-send="true" href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</body>
</html>