<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Ok so this is using your own policy. Using system v init usually
meant you went from init_t @ initrc_exec_t -> initrc_t @
mydomain_exec_t -> mydomain_t<br>
<br>
You usually did not transition from the init system directly to the
final domain. <br>
<br>
Are your init script labeled initrc_exec_t?<br>
<br>
<br>
<div class="moz-cite-prefix">On 08/24/2015 05:15 AM, Srinivasa Rao
Ragolu wrote:<br>
</div>
<blockquote
cite="mid:CAH4+OFrp3dSQW6f8AjwiYzBo5YC1Tj3a+48f0xb4aQWbGhfP4w@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Daniel,
<div><br>
</div>
<div>Sure. Sorry for late repoly. I am sharing details now.</div>
<div><br>
</div>
<div>As I am using embedded platform, so referring yocto bitbake
recipes for building selinux layer. (ie: <a
moz-do-not-send="true"
href="http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/selinux"><a class="moz-txt-link-freetext" href="http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/selinux">http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/selinux</a></a>)</div>
<div><br>
</div>
<div>Policy is targeted/enforcing. version is 2.3.</div>
<div><br>
</div>
<div>
<div><i>root@arm-cortex-a15:~# rpm -qa | grep selinux</i></div>
<div><i>packagegroup-selinux-policycoreutils-lic-1.0-r0.cortexa15hf_vfp</i></div>
<div><i>packagegroup-core-selinux-lic-1.0-r0.cortexa15hf_vfp</i></div>
<div><i>selinux-config-lic-0.1-r4.arm_cortex_a15</i></div>
<div><i>libselinux-lic-2.3-r0.cortexa15hf_vfp</i></div>
<div><i>selinux-config-0.1-r4.arm_cortex_a15</i></div>
<div><i>libselinux-2.3-r0.cortexa15hf_vfp</i></div>
<div><i>libselinux-bin-2.3-r0.cortexa15hf_vfp</i></div>
<div><i>libselinux-python-2.3-r0.cortexa15hf_vfp</i></div>
<div><i>pam-plugin-selinux-1.1.6-r2.4.2.cortexa15hf_vfp</i></div>
<div><i>system-config-selinux-2.3-r0.cortexa15hf_vfp</i></div>
<div><i>packagegroup-selinux-policycoreutils-1.0-r0.cortexa15hf_vfp</i></div>
<div><i>packagegroup-core-selinux-1.0-r0.cortexa15hf_vfp</i></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>I am using sysvinit. every daemon is running on its own
context. Please see attached rootfs log.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks and Regards,</div>
<div>Srinivas.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Aug 21, 2015 at 12:49 AM,
Daniel J Walsh <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>
<div class="h5"> <br>
<br>
<div>On 08/19/2015 11:51 PM, Srinivasa Rao Ragolu
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi All,
<div><br>
</div>
<div>Please find the security contexts of
necessary files</div>
<div><br>
</div>
<div>
<div>root@arm-cortex-a15:~# sestatus -v</div>
<div>SELinux status: enabled</div>
<div>SELinuxfs mount:
/sys/fs/selinux</div>
<div>SELinux root directory:
/etc/selinux</div>
<div>Loaded policy name: targeted</div>
<div>Current mode: permissive</div>
<div>Mode from config file: permissive</div>
<div>Policy MLS status: enabled</div>
<div>Policy deny_unknown status: allowed</div>
<div>Max kernel policy version: 28</div>
<div><br>
</div>
<div>Process contexts:</div>
<div>Current context:
unconfined_u:unconfined_r:unconfined_t:s0</div>
<div>Init context:
system_u:system_r:init_t:s0</div>
<div><br>
</div>
<div>File contexts:</div>
<div>Controlling terminal:
unconfined_u:object_r:user_tty_device_t:s0</div>
<div>/etc/passwd
system_u:object_r:etc_t:s0</div>
<div>/etc/shadow
system_u:object_r:shadow_t:s0</div>
<div>/bin/bash
system_u:object_r:shell_exec_t:s0</div>
<div>/bin/login
system_u:object_r:bin_t:s0 ->
system_u:object_r:login_exec_t:s0</div>
<div>/bin/sh
system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0</div>
<div>/sbin/init
system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0</div>
<div>/lib/libc.so.6
system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0</div>
</div>
<div><br>
</div>
<div>Do I need to change any of the file contexts
to avoid the issue of login failure?</div>
<div><br>
</div>
</div>
</blockquote>
</div>
</div>
The problem is the login program is not transitioning from
init_t to local_login_t. <br>
<br>
You never answered the question about what version of
selinux-policy<br>
<br>
rpm -q selinux-policy<br>
<br>
Is this system using systemd?<br>
<br>
Are other programs running in different context beside
kernel_t and init_t?
<div>
<div class="h5"><br>
<blockquote type="cite">
<div dir="ltr">
<div>Thanks,</div>
<div>Srinivas.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Aug 19, 2015 at
6:05 PM, Srinivasa Rao Ragolu <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:sragolu@mvista.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:sragolu@mvista.com">sragolu@mvista.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">As I could not able to login,
changed /etc/selinux/config from enforcing
to permissive. Executed above commands.</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Aug 19,
2015 at 6:04 PM, Srinivasa Rao Ragolu
<span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:sragolu@mvista.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:sragolu@mvista.com">sragolu@mvista.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">Hi Daniel,
<div><br>
</div>
<div>Please see the output of
security contexts. Also no usr
is mounted.</div>
<div><br>
</div>
<div>
<div>root@arm-cortex-a15:~# ls
-lZ /bin/login*</div>
<div><font color="#0000ff">lrwxrwxrwx.
1 root root
system_u:object_r:bin_t:s0
17 Aug 18 15:06
/bin/login ->
/bin/login.shadow</font></div>
<div><font color="#0000ff">-rwxr-xr-x.
1 root root
system_u:object_r:login_exec_t:s0
31756 Aug 12 07:18
/bin/login.shadow</font></div>
<div>root@arm-cortex-a15:~#
mount</div>
<div><font color="#0000ff">/dev/root
on / type ext2
(rw,relatime,seclabel)</font></div>
<div><font color="#0000ff">sysfs
on /sys type sysfs
(rw,relatime,seclabel)</font></div>
<div><font color="#0000ff">selinuxfs
on /sys/fs/selinux type
selinuxfs (rw,relatime)</font></div>
<div><font color="#0000ff">proc
on /proc type proc
(rw,relatime)</font></div>
<div><font color="#0000ff">none
on /dev type devtmpfs
(rw,relatime,seclabel,size=514956k,nr_inodes=128739,mode=755)</font></div>
<div><font color="#0000ff">devpts
on /dev/pts type devpts
(rw,relatime,seclabel,gid=5,mode=620,ptmxmode=000)</font></div>
<div><font color="#0000ff">tmpfs
on /var/volatile type tmpfs
(rw,relatime,seclabel)</font></div>
<div><font color="#0000ff">tmpfs
on /media/ram type tmpfs
(rw,relatime,seclabel)</font></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>please guide if you find an
clue from above output</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Srinivas.</div>
<div><br>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Wed, Aug 19, 2015 at 12:38
AM, Daniel J Walsh <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dwalsh@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a></a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF"> ls
-lZ /usr/bin/login*<br>
<br>
By any chance is the
/usr directory mounted
NOSUID?
<div>
<div><br>
<br>
<div>On 08/18/2015
07:58 AM,
Srinivasa Rao
Ragolu wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>I am
building for
embedded
platform.
Could not able
to get exact
version. But
can provide
info about
recipe in
yocto.</div>
<div><br>
</div>
<div><a
moz-do-not-send="true"
href="http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/"
target="_blank"><a class="moz-txt-link-freetext" href="http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/">http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/</a></a><br>
</div>
<div><a
moz-do-not-send="true"
href="http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb"
target="_blank"><a class="moz-txt-link-freetext" href="http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb">http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb</a></a><br>
</div>
<div><br>
</div>
<div>Any
pointers
please?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Srinivas.</div>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Tue, Aug 18,
2015 at 8:17
PM, Miroslav
Grepl <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:mgrepl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mgrepl@redhat.com">mgrepl@redhat.com</a></a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex"><span>On
08/18/2015
04:37 PM,
Srinivasa Rao
Ragolu wrote:<br>
> Hi
Daniel,<br>
><br>
</span><span>>
I have checked
the
file_contexts
file<br>
><br>
</span>> *
#grep
:login_exec_t
contexts/files/file_contexts*<br>
>
/bin/login--system_u:object_r:login_exec_t:s0<br>
>
/bin/login\.shadow--system_u:object_r:login_exec_t:s0<br>
>
/bin/login\.tinylogin--system_u:object_r:login_exec_t:s0<br>
>
/usr/kerberos/sbin/login\.krb5--system_u:object_r:login_exec_t:s0<br>
<span>><br>
> Now If I
run with
permissive
mode. I Could
see below
login programs
are<br>
> running<br>
> (Here I
gave
unconfined_r
as role and s0
as range)<br>
><br>
</span>> *
1109 root
3540 S
/bin/login --*<br>
> * 1111
root 0
SW
[kauditd]*<br>
> * 1113
root 3020
S -sh*<br>
> *<br>
> *<br>
<span>> But
when I run
with enforcing
mode I get
same error<br>
><br>
</span>>
/*arm-cortex-a15
login: root*/<br>
> /*Last
login: Tue Aug
18 11:36:58
UTC 2015 on
console*/<br>
> /*Would
you like to
enter a
security
context? [N]
Y*/<br>
> /*role:
unconfined_r*/<br>
> /*level:
s0*/<br>
> /*[
1252.885468]
type=1400
audit(1439898856.140:13):
avc: denied
{<br>
<span>>
transition }
for pid=1120
comm="login"
path="/bin/bash"
dev="mmcblk0"<br>
> ino=58115
scontext=system_u:system_r:init_t:s0<br>
</span>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0
tclass=process*/<br>
> /*[
1252.887219]
type=1400
audit(1439898856.140:14):
avc: denied
{<br>
<span>>
transition }
for pid=1120
comm="login"
path="/bin/bash"
dev="mmcblk0"<br>
> ino=58115
scontext=system_u:system_r:init_t:s0<br>
</span>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0
tclass=process*/<br>
> /*Cannot
execute
/bin/sh:
Permission
denied*/<br>
> /*<br>
> */<br>
>
/*MontaVista
Carrier Grade
Linux 7.0.0
arm-cortex-a15
/dev/console*/<br>
> /*<br>
> */<br>
>
/*arm-cortex-a15
login:*/<br>
> /*<br>
> */<br>
> /*<br>
> */<br>
> /Please
guide me what
is going wrong
and how to
resolve this
issue./<br>
> /<br>
> /<br>
> /Thanks,/<br>
>
/Srinivas./<br>
<span>><br>
> On Tue,
Aug 18, 2015
at 6:52 PM,
Daniel J Walsh
<<a
moz-do-not-send="true"
href="mailto:dwalsh@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a></a><br>
</span><span>>
<mailto:<a
moz-do-not-send="true" href="mailto:dwalsh@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a></a>>>
wrote:<br>
><br>
> What
is the path to
the login
program? What
is it
labeled? The<br>
>
problem is
login is
running with
the wrong
context.<br>
><br>
> It
should be
labeled
login_exec_t<br>
><br>
> grep
:login_exec_t
/etc/selinux/targeted/contexts/files/file_contexts<br>
>
/bin/login
--
system_u:object_r:login_exec_t:s0<br>
>
/usr/bin/login
--
system_u:object_r:login_exec_t:s0<br>
>
/usr/kerberos/sbin/login\.krb5
--<br>
>
system_u:object_r:login_exec_t:s0<br>
><br>
><br>
>
init_t is
supposed to
transition to
local_login_t
when executing
the<br>
> login
program.<br>
><br>
><br>
> On
08/18/2015
06:17 AM,
Srinivasa Rao
Ragolu wrote:<br>
>>
Hi Daniel,<br>
>><br>
>>
Thanks for
quick reply.
Please find
first time
boot log with<br>
>>
lableling and
reboot.<br>
>><br>
>>
Also find
second time
boot log when
I created
/.autorelablel.<br>
>><br>
>>
Somehow I
could not able
to login as
root.<br>
>><br>
>>
Your help is
really
appriciated.<br>
>><br>
>>
Thanks,<br>
>>
Srinivas.<br>
>><br>
>>
On Tue, Aug
18, 2015 at
6:16 PM,
Daniel J Walsh
<<a
moz-do-not-send="true"
href="mailto:dwalsh@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a></a><br>
</span><span>>>
<mailto:<a
moz-do-not-send="true" href="mailto:dwalsh@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a></a>>>
wrote:<br>
>><br>
>>
Looks like
you have a
labeling
issue.<br>
>><br>
>>
touch
/.autorelabel;
reboot<br>
>><br>
>>
Should fix
the issues.<br>
>><br>
>><br>
>><br>
>>
On
08/18/2015
04:53 AM,
Srinivasa Rao
Ragolu wrote:<br>
>>>
Hi All,<br>
>>><br>
>>>
I have
very new to
selinux. Today
I have ported
selinux to my<br>
>>>
embedded
platform with
targeted
policy+enforcing.<br>
>>><br>
>>>
When I
try to boot,
it completes
labeling
filesystem.
But I<br>
>>>
could
not able to
login using
root.. See my
error log...<br>
>>><br>
</span>>>>
/*arm-cortex-a15
login: root*/<br>
>>>
/*Last
login: Tue Aug
18 11:36:58
UTC 2015 on
console*/<br>
>>>
/*Would
you like to
enter a
security
context? [N]
Y*/<br>
>>>
/*role:
unconfined_r*/<br>
>>>
/*level: s0*/<br>
>>>
/*[
1252.885468]
type=1400
audit(1439898856.140:13):
avc:<br>
<span>>>>
denied {
transition }
for pid=1120
comm="login"<br>
>>>
path="/bin/bash"
dev="mmcblk0"
ino=58115<br>
>>>
scontext=system_u:system_r:init_t:s0<br>
>>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0<br>
</span>>>>
tclass=process*/<br>
>>>
/*[
1252.887219]
type=1400
audit(1439898856.140:14):
avc:<br>
<span>>>>
denied {
transition }
for pid=1120
comm="login"<br>
>>>
path="/bin/bash"
dev="mmcblk0"
ino=58115<br>
>>>
scontext=system_u:system_r:init_t:s0<br>
>>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0<br>
</span>>>>
tclass=process*/<br>
>>>
/*Cannot
execute
/bin/sh:
Permission
denied*/<br>
>>>
/*<br>
>>>
*/<br>
>>>
/*MontaVista
Carrier Grade
Linux 7.0.0
arm-cortex-a15<br>
>>>
/dev/console*/<br>
>>>
/*<br>
>>>
*/<br>
>>>
/*arm-cortex-a15
login:*/<br>
>>>
/*<br>
>>>
*/<br>
<span>>>>
Please
help me.. How
can I solve
this issue and
achieve<br>
>>>
normal
boot.<br>
>>><br>
>>><br>
>>>
Thanks,<br>
>>>
Srinivas.<br>
>>><br>
>>><br>
>>>
--<br>
>>>
selinux
mailing list<br>
>>>
<a
moz-do-not-send="true"
href="mailto:selinux@lists.fedoraproject.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a></a><br>
</span>>>>
<mailto:<a
moz-do-not-send="true" href="mailto:selinux@lists.fedoraproject.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a></a>><br>
<span>>>>
<a
moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/selinux"
target="_blank"><a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></a><br>
>><br>
>><br>
>><br>
>><br>
>>
--<br>
>>
selinux
mailing list<br>
>> <a
moz-do-not-send="true" href="mailto:selinux@lists.fedoraproject.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a></a><br>
</span>>>
<mailto:<a
moz-do-not-send="true" href="mailto:selinux@lists.fedoraproject.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a></a>><br>
<span>>>
<a
moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/selinux"
target="_blank"><a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></a><br>
><br>
><br>
><br>
><br>
> --<br>
> selinux
mailing list<br>
> <a
moz-do-not-send="true"
href="mailto:selinux@lists.fedoraproject.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a></a><br>
> <a
moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/selinux"
target="_blank"><a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></a><br>
><br>
<br>
</span>What
does<br>
<br>
$ rpm -q
selinux-policy-targeted<br>
<br>
?<br>
<br>
Also could you
try to
reinstall the
selinux-policy-targeted
to see if it<br>
blows up?<br>
<span><font
color="#888888"><br>
--<br>
Miroslav Grepl<br>
Senior
Software
Engineer,
SELinux
Solutions<br>
Red Hat, Inc.<br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>--
selinux mailing list
<a moz-do-not-send="true" href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>
<a moz-do-not-send="true" href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>--
selinux mailing list
<a moz-do-not-send="true" href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>
<a moz-do-not-send="true" href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>