<div dir="ltr">Hi Daniel,<div><br></div><div>I have cleaned up and using more stable branch of meta-selinux now. Surprisingly in enforcing mode, if I try to login as root, its omitting with not messages. </div><div><br></div><div>Then I logged as root user and permissive mode. Please find results of above commands on my platform.</div><div><br></div><div><div>1060 avahi 3172 S avahi-daemon: running [arm-cortex-a15.local]</div><div> 1061 avahi 3172 S avahi-daemon: chroot helper</div><div> 1072 distcc 3124 S N /usr/bin/distccd --pid-file=/var/run/distcc.pid --da</div><div> 1076 root 3544 S /bin/login --</div><div> 1078 root 0 SW [kauditd]</div><div> 1080 root 3020 S -sh</div><div> 1081 root 2504 R {ps} /bin/busybox /bin/ps</div><div>root@arm-cortex-a15:~# sesearch -T -t login_exec_t </div><div>Found 3 semantic te rules:</div><div> type_transition rlogind_t login_exec_t : process remote_login_t; </div><div> type_transition telnetd_t login_exec_t : process remote_login_t; </div><div> type_transition getty_t login_exec_t : process local_login_t; </div><div><br></div><div><br></div><div>root@arm-cortex-a15:~# sesearch -T -t getty_exec_t </div><div>Found 2 semantic te rules:</div><div> type_transition init_t getty_exec_t : process getty_t; </div><div> type_transition initrc_t getty_exec_t : process getty_t; </div><div><br></div><div><br></div><div>le_contextsrtex-a15:~# grep getty_exec_t /etc/selinux/targeted/contexts/files/fi </div><div>/sbin/.*getty<span class="" style="white-space:pre">        </span>--<span class="" style="white-space:pre">        </span>system_u:object_r:getty_exec_t:s0</div><div>root@arm-cortex-a15:~#</div></div><div><br></div><div><br></div><div>It looks as same as Fedora. But could not able to login as root user in enforcing mode. Any other aspect causing this issue?</div><div><br></div><div>Thanks,</div><div>Srinivas.</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 25, 2015 at 3:36 PM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Looking at Fedora policy I see<br>
<br>
sesearch -T -t login_exec_t <br>
Found 4 semantic te rules:<br>
type_transition rlogind_t login_exec_t : process remote_login_t;
<br>
type_transition telnetd_t login_exec_t : process remote_login_t;
<br>
type_transition getty_t login_exec_t : process local_login_t; <br>
type_transition kmscon_t login_exec_t : process local_login_t; <br>
<br>
Which means only getty_t and kmscon_t transition to local_login_t<br>
<br>
Then looking at getty_exec_t I see.<br>
<br>
sesearch -T -t getty_exec_t <br>
Found 8 semantic te rules:<br>
type_transition kdumpctl_t getty_exec_t : process getty_t; <br>
type_transition piranha_pulse_t getty_exec_t : process getty_t; <br>
type_transition initrc_t getty_exec_t : process getty_t; <br>
type_transition condor_startd_t getty_exec_t : process getty_t; <br>
type_transition glusterd_t getty_exec_t : process getty_t; <br>
type_transition openshift_initrc_t getty_exec_t : process
getty_t; <br>
type_transition init_t getty_exec_t : process getty_t; <br>
type_transition cluster_t getty_exec_t : process getty_t; <br>
<br>
<br>
Which shows init_t transitioning to getty_t via getty_exec_t<br>
<br>
# grep getty_exec_t
/etc/selinux/targeted/contexts/files/file_contexts<br>
/sbin/.*getty -- system_u:object_r:getty_exec_t:s0<br>
/usr/sbin/.*getty -- system_u:object_r:getty_exec_t:s0<br>
<br>
So on fedora the init system executes /usr/sbin/.*getty which should
transition to getty_t.<br>
<br>
We are obviously not seeing this on your platform.<div><div class="h5"><br>
<br>
<div>On 08/24/2015 08:09 AM, Srinivasa Rao
Ragolu wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Daniel,
<div><br>
</div>
<div>See the contexts of init scripts</div>
<div><br>
</div>
<div>*******************************************</div>
<div>
<div>root@arm-cortex-a15:~# ls -Z /etc/rc5.d/</div>
<div>system_u:object_r:etc_t:s0 S02dbus-1</div>
<div>system_u:object_r:etc_t:s0 S02sssd</div>
<div>system_u:object_r:etc_t:s0 S20distcc</div>
<div>system_u:object_r:etc_t:s0 S20hwclock.sh</div>
<div>system_u:object_r:etc_t:s0 S20nslcd</div>
<div>system_u:object_r:etc_t:s0 S20syslog</div>
<div>system_u:object_r:etc_t:s0 S21avahi-daemon</div>
<div>system_u:object_r:etc_t:s0 S99rmnologin.sh</div>
<div>system_u:object_r:etc_t:s0 S99stop-bootlogd</div>
<div>root@arm-cortex-a15:~# ls -Z /etc/init.d</div>
<div> system_u:object_r:initrc_exec_t:s0 0selinux-init</div>
<div> system_u:object_r:initrc_exec_t:s0 alignment.sh</div>
<div>system_u:object_r:avahi_initrc_exec_t:s0 avahi-daemon</div>
<div> system_u:object_r:initrc_exec_t:s0 banner.sh</div>
<div> system_u:object_r:initrc_exec_t:s0 bootlogd</div>
<div> system_u:object_r:initrc_exec_t:s0 bootmisc.sh</div>
<div> system_u:object_r:initrc_exec_t:s0 checkroot.sh</div>
<div> system_u:object_r:initrc_exec_t:s0 dbus-1</div>
<div> system_u:object_r:initrc_exec_t:s0 devpts.sh</div>
<div> system_u:object_r:initrc_exec_t:s0 distcc</div>
<div> system_u:object_r:etc_t:s0 functions</div>
<div> system_u:object_r:initrc_exec_t:s0
functions.initscripts</div>
<div> system_u:object_r:initrc_exec_t:s0
functions.lsbinitscripts</div>
<div> system_u:object_r:initrc_exec_t:s0 halt</div>
<div> system_u:object_r:initrc_exec_t:s0 hostname.sh</div>
<div> system_u:object_r:initrc_exec_t:s0 hwclock.sh</div>
</div>
<div>************************************************************************</div>
<div><br>
</div>
<div>/etc/inittab file l0:0:wait:/etc/init.d/rc 0 </div>
<div>******************************************* </div>
<div># /etc/inittab: init(8) configuration.
</div>
<div># $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $
</div>
<div>
</div>
<div># The default runlevel.
</div>
<div>id:5:initdefault:
</div>
<div>
</div>
<div># Boot-time system configuration/initialization script.
</div>
<div># This is run first except when booting in emergency (-b)
mode.</div>
<div>si::sysinit:/etc/init.d/rcS </div>
<div> </div>
<div># What to do in single-user mode. </div>
<div>~~:S:wait:/sbin/sulogin </div>
<div> </div>
<div># /etc/init.d executes the S and K scripts upon change</div>
<div># of runlevel. </div>
<div># </div>
<div># Runlevel 0 is halt. </div>
<div># Runlevel 1 is single-user. </div>
<div># Runlevels 2-5 are multi-user.</div>
<div># Runlevel 6 is reboot. </div>
<div>l1:1:wait:/etc/init.d/rc 1 </div>
<div>l2:2:wait:/etc/init.d/rc 2 </div>
<div>l3:3:wait:/etc/init.d/rc 3 </div>
<div>l4:4:wait:/etc/init.d/rc 4 </div>
<div>l5:5:wait:/etc/init.d/rc 5 </div>
<div>l6:6:wait:/etc/init.d/rc 6</div>
<div># Normally not reached, but fallthrough in case of
emergency.</div>
<div>z6:6:respawn:/sbin/sulogin
</div>
<div>con:2345:respawn:/sbin/getty console </div>
<div>********************************************</div>
<div><br>
</div>
<div><br>
</div>
<div>I am not pretty sure which version of policy it is using,
but from built recipes. But referred yocto link and provided
you version.</div>
<div><br>
</div>
<div>How this issue of labelling can be resolved?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Srinivas.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Aug 24, 2015 at 4:34 PM, Daniel
J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Ok so this is using
your own policy. Using system v init usually meant you
went from init_t @ initrc_exec_t -> initrc_t @
mydomain_exec_t -> mydomain_t<br>
<br>
You usually did not transition from the init system
directly to the final domain. <br>
<br>
Are your init script labeled initrc_exec_t?
<div>
<div><br>
<br>
<br>
<div>On 08/24/2015 05:15 AM, Srinivasa Rao Ragolu
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Daniel,
<div><br>
</div>
<div>Sure. Sorry for late repoly. I am sharing
details now.</div>
<div><br>
</div>
<div>As I am using embedded platform, so referring
yocto bitbake recipes for building selinux
layer. (ie: <a href="http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/selinux" target="_blank">http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/selinux</a>)</div>
<div><br>
</div>
<div>Policy is targeted/enforcing. version is 2.3.</div>
<div><br>
</div>
<div>
<div><i>root@arm-cortex-a15:~# rpm -qa | grep
selinux</i></div>
<div><i>packagegroup-selinux-policycoreutils-lic-1.0-r0.cortexa15hf_vfp</i></div>
<div><i>packagegroup-core-selinux-lic-1.0-r0.cortexa15hf_vfp</i></div>
<div><i>selinux-config-lic-0.1-r4.arm_cortex_a15</i></div>
<div><i>libselinux-lic-2.3-r0.cortexa15hf_vfp</i></div>
<div><i>selinux-config-0.1-r4.arm_cortex_a15</i></div>
<div><i>libselinux-2.3-r0.cortexa15hf_vfp</i></div>
<div><i>libselinux-bin-2.3-r0.cortexa15hf_vfp</i></div>
<div><i>libselinux-python-2.3-r0.cortexa15hf_vfp</i></div>
<div><i>pam-plugin-selinux-1.1.6-r2.4.2.cortexa15hf_vfp</i></div>
<div><i>system-config-selinux-2.3-r0.cortexa15hf_vfp</i></div>
<div><i>packagegroup-selinux-policycoreutils-1.0-r0.cortexa15hf_vfp</i></div>
<div><i>packagegroup-core-selinux-1.0-r0.cortexa15hf_vfp</i></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>I am using sysvinit. every daemon is running
on its own context. Please see attached rootfs
log.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks and Regards,</div>
<div>Srinivas.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Aug 21, 2015 at
12:49 AM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank"></a><a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>
<div> <br>
<br>
<div>On 08/19/2015 11:51 PM, Srinivasa
Rao Ragolu wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi All,
<div><br>
</div>
<div>Please find the security
contexts of necessary files</div>
<div><br>
</div>
<div>
<div>root@arm-cortex-a15:~#
sestatus -v</div>
<div>SELinux status:
enabled</div>
<div>SELinuxfs mount:
/sys/fs/selinux</div>
<div>SELinux root directory:
/etc/selinux</div>
<div>Loaded policy name:
targeted</div>
<div>Current mode:
permissive</div>
<div>Mode from config file:
permissive</div>
<div>Policy MLS status:
enabled</div>
<div>Policy deny_unknown status:
allowed</div>
<div>Max kernel policy version:
28</div>
<div><br>
</div>
<div>Process contexts:</div>
<div>Current context:
unconfined_u:unconfined_r:unconfined_t:s0</div>
<div>Init context:
system_u:system_r:init_t:s0</div>
<div><br>
</div>
<div>File contexts:</div>
<div>Controlling terminal:
unconfined_u:object_r:user_tty_device_t:s0</div>
<div>/etc/passwd
system_u:object_r:etc_t:s0</div>
<div>/etc/shadow
system_u:object_r:shadow_t:s0</div>
<div>/bin/bash
system_u:object_r:shell_exec_t:s0</div>
<div>/bin/login
system_u:object_r:bin_t:s0
->
system_u:object_r:login_exec_t:s0</div>
<div>/bin/sh
system_u:object_r:bin_t:s0
->
system_u:object_r:shell_exec_t:s0</div>
<div>/sbin/init
system_u:object_r:bin_t:s0
->
system_u:object_r:init_exec_t:s0</div>
<div>/lib/libc.so.6
system_u:object_r:lib_t:s0
-> system_u:object_r:lib_t:s0</div>
</div>
<div><br>
</div>
<div>Do I need to change any of the
file contexts to avoid the issue
of login failure?</div>
<div><br>
</div>
</div>
</blockquote>
</div>
</div>
The problem is the login program is not
transitioning from init_t to local_login_t.
<br>
<br>
You never answered the question about what
version of selinux-policy<br>
<br>
rpm -q selinux-policy<br>
<br>
Is this system using systemd?<br>
<br>
Are other programs running in different
context beside kernel_t and init_t?
<div>
<div><br>
<blockquote type="cite">
<div dir="ltr">
<div>Thanks,</div>
<div>Srinivas.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Aug
19, 2015 at 6:05 PM, Srinivasa Rao
Ragolu <span dir="ltr"><<a href="mailto:sragolu@mvista.com" target="_blank"></a><a href="mailto:sragolu@mvista.com" target="_blank">sragolu@mvista.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">As I could not
able to login, changed
/etc/selinux/config from
enforcing to permissive.
Executed above commands.</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Wed, Aug 19, 2015 at
6:04 PM, Srinivasa Rao
Ragolu <span dir="ltr"><<a href="mailto:sragolu@mvista.com" target="_blank"></a><a href="mailto:sragolu@mvista.com" target="_blank">sragolu@mvista.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi
Daniel,
<div><br>
</div>
<div>Please see the
output of security
contexts. Also no
usr is mounted.</div>
<div><br>
</div>
<div>
<div>root@arm-cortex-a15:~#
ls -lZ
/bin/login*</div>
<div><font color="#0000ff">lrwxrwxrwx.
1 root root
system_u:object_r:bin_t:s0
17
Aug 18 15:06
/bin/login
->
/bin/login.shadow</font></div>
<div><font color="#0000ff">-rwxr-xr-x.
1 root root
system_u:object_r:login_exec_t:s0
31756 Aug 12
07:18
/bin/login.shadow</font></div>
<div>root@arm-cortex-a15:~#
mount</div>
<div><font color="#0000ff">/dev/root
on / type ext2
(rw,relatime,seclabel)</font></div>
<div><font color="#0000ff">sysfs
on /sys type
sysfs
(rw,relatime,seclabel)</font></div>
<div><font color="#0000ff">selinuxfs
on
/sys/fs/selinux
type selinuxfs
(rw,relatime)</font></div>
<div><font color="#0000ff">proc
on /proc type
proc
(rw,relatime)</font></div>
<div><font color="#0000ff">none
on /dev type
devtmpfs
(rw,relatime,seclabel,size=514956k,nr_inodes=128739,mode=755)</font></div>
<div><font color="#0000ff">devpts
on /dev/pts
type devpts
(rw,relatime,seclabel,gid=5,mode=620,ptmxmode=000)</font></div>
<div><font color="#0000ff">tmpfs
on
/var/volatile
type tmpfs
(rw,relatime,seclabel)</font></div>
<div><font color="#0000ff">tmpfs
on /media/ram
type tmpfs
(rw,relatime,seclabel)</font></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>please guide if
you find an clue
from above output</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Srinivas.</div>
<div><br>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Wed, Aug 19,
2015 at 12:38
AM, Daniel J
Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com" target="_blank"></a><a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> ls -lZ /usr/bin/login*<br>
<br>
By any chance
is the /usr
directory
mounted
NOSUID?
<div>
<div><br>
<br>
<div>On
08/18/2015
07:58 AM,
Srinivasa Rao
Ragolu wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>I am
building for
embedded
platform.
Could not able
to get exact
version. But
can provide
info about
recipe in
yocto.</div>
<div><br>
</div>
<div><a href="http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/" target="_blank"></a><a href="http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/" target="_blank">http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/</a><br>
</div>
<div><a href="http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb" target="_blank"></a><a href="http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb" target="_blank">http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb</a><br>
</div>
<div><br>
</div>
<div>Any
pointers
please?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Srinivas.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Tue, Aug 18,
2015 at 8:17
PM, Miroslav
Grepl <span dir="ltr"><<a href="mailto:mgrepl@redhat.com" target="_blank"></a><a href="mailto:mgrepl@redhat.com" target="_blank">mgrepl@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On
08/18/2015
04:37 PM,
Srinivasa Rao
Ragolu wrote:<br>
> Hi
Daniel,<br>
><br>
</span><span>>
I have checked
the
file_contexts
file<br>
><br>
</span>> *
#grep
:login_exec_t
contexts/files/file_contexts*<br>
>
/bin/login--system_u:object_r:login_exec_t:s0<br>
>
/bin/login\.shadow--system_u:object_r:login_exec_t:s0<br>
>
/bin/login\.tinylogin--system_u:object_r:login_exec_t:s0<br>
>
/usr/kerberos/sbin/login\.krb5--system_u:object_r:login_exec_t:s0<br>
<span>><br>
> Now If I
run with
permissive
mode. I Could
see below
login programs
are<br>
> running<br>
> (Here I
gave
unconfined_r
as role and s0
as range)<br>
><br>
</span>> *
1109 root
3540 S
/bin/login --*<br>
> * 1111
root 0
SW
[kauditd]*<br>
> * 1113
root 3020
S -sh*<br>
> *<br>
> *<br>
<span>> But
when I run
with enforcing
mode I get
same error<br>
><br>
</span>>
/*arm-cortex-a15
login: root*/<br>
> /*Last
login: Tue Aug
18 11:36:58
UTC 2015 on
console*/<br>
> /*Would
you like to
enter a
security
context? [N]
Y*/<br>
> /*role:
unconfined_r*/<br>
> /*level:
s0*/<br>
> /*[
1252.885468]
type=1400
audit(1439898856.140:13):
avc: denied
{<br>
<span>>
transition }
for pid=1120
comm="login"
path="/bin/bash"
dev="mmcblk0"<br>
> ino=58115
scontext=system_u:system_r:init_t:s0<br>
</span>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0
tclass=process*/<br>
> /*[
1252.887219]
type=1400
audit(1439898856.140:14):
avc: denied
{<br>
<span>>
transition }
for pid=1120
comm="login"
path="/bin/bash"
dev="mmcblk0"<br>
> ino=58115
scontext=system_u:system_r:init_t:s0<br>
</span>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0
tclass=process*/<br>
> /*Cannot
execute
/bin/sh:
Permission
denied*/<br>
> /*<br>
> */<br>
>
/*MontaVista
Carrier Grade
Linux 7.0.0
arm-cortex-a15
/dev/console*/<br>
> /*<br>
> */<br>
>
/*arm-cortex-a15
login:*/<br>
> /*<br>
> */<br>
> /*<br>
> */<br>
> /Please
guide me what
is going wrong
and how to
resolve this
issue./<br>
> /<br>
> /<br>
> /Thanks,/<br>
>
/Srinivas./<br>
<span>><br>
> On Tue,
Aug 18, 2015
at 6:52 PM,
Daniel J Walsh
<<a href="mailto:dwalsh@redhat.com" target="_blank"></a><a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a><br>
</span><span>>
<mailto:<a href="mailto:dwalsh@redhat.com" target="_blank"></a><a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>>>
wrote:<br>
><br>
> What
is the path to
the login
program? What
is it
labeled? The<br>
>
problem is
login is
running with
the wrong
context.<br>
><br>
> It
should be
labeled
login_exec_t<br>
><br>
> grep
:login_exec_t
/etc/selinux/targeted/contexts/files/file_contexts<br>
>
/bin/login
--
system_u:object_r:login_exec_t:s0<br>
>
/usr/bin/login
--
system_u:object_r:login_exec_t:s0<br>
>
/usr/kerberos/sbin/login\.krb5
--<br>
>
system_u:object_r:login_exec_t:s0<br>
><br>
><br>
>
init_t is
supposed to
transition to
local_login_t
when executing
the<br>
> login
program.<br>
><br>
><br>
> On
08/18/2015
06:17 AM,
Srinivasa Rao
Ragolu wrote:<br>
>>
Hi Daniel,<br>
>><br>
>>
Thanks for
quick reply.
Please find
first time
boot log with<br>
>>
lableling and
reboot.<br>
>><br>
>>
Also find
second time
boot log when
I created
/.autorelablel.<br>
>><br>
>>
Somehow I
could not able
to login as
root.<br>
>><br>
>>
Your help is
really
appriciated.<br>
>><br>
>>
Thanks,<br>
>>
Srinivas.<br>
>><br>
>>
On Tue, Aug
18, 2015 at
6:16 PM,
Daniel J Walsh
<<a href="mailto:dwalsh@redhat.com" target="_blank"></a><a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a><br>
</span><span>>>
<mailto:<a href="mailto:dwalsh@redhat.com" target="_blank"></a><a href="mailto:dwalsh@redhat.com" target="_blank">dwalsh@redhat.com</a>>>
wrote:<br>
>><br>
>>
Looks like
you have a
labeling
issue.<br>
>><br>
>>
touch
/.autorelabel;
reboot<br>
>><br>
>>
Should fix
the issues.<br>
>><br>
>><br>
>><br>
>>
On
08/18/2015
04:53 AM,
Srinivasa Rao
Ragolu wrote:<br>
>>>
Hi All,<br>
>>><br>
>>>
I have
very new to
selinux. Today
I have ported
selinux to my<br>
>>>
embedded
platform with
targeted
policy+enforcing.<br>
>>><br>
>>>
When I
try to boot,
it completes
labeling
filesystem.
But I<br>
>>>
could
not able to
login using
root.. See my
error log...<br>
>>><br>
</span>>>>
/*arm-cortex-a15
login: root*/<br>
>>>
/*Last
login: Tue Aug
18 11:36:58
UTC 2015 on
console*/<br>
>>>
/*Would
you like to
enter a
security
context? [N]
Y*/<br>
>>>
/*role:
unconfined_r*/<br>
>>>
/*level: s0*/<br>
>>>
/*[
1252.885468]
type=1400
audit(1439898856.140:13):
avc:<br>
<span>>>>
denied {
transition }
for pid=1120
comm="login"<br>
>>>
path="/bin/bash"
dev="mmcblk0"
ino=58115<br>
>>>
scontext=system_u:system_r:init_t:s0<br>
>>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0<br>
</span>>>>
tclass=process*/<br>
>>>
/*[
1252.887219]
type=1400
audit(1439898856.140:14):
avc:<br>
<span>>>>
denied {
transition }
for pid=1120
comm="login"<br>
>>>
path="/bin/bash"
dev="mmcblk0"
ino=58115<br>
>>>
scontext=system_u:system_r:init_t:s0<br>
>>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0<br>
</span>>>>
tclass=process*/<br>
>>>
/*Cannot
execute
/bin/sh:
Permission
denied*/<br>
>>>
/*<br>
>>>
*/<br>
>>>
/*MontaVista
Carrier Grade
Linux 7.0.0
arm-cortex-a15<br>
>>>
/dev/console*/<br>
>>>
/*<br>
>>>
*/<br>
>>>
/*arm-cortex-a15
login:*/<br>
>>>
/*<br>
>>>
*/<br>
<span>>>>
Please
help me.. How
can I solve
this issue and
achieve<br>
>>>
normal
boot.<br>
>>><br>
>>><br>
>>>
Thanks,<br>
>>>
Srinivas.<br>
>>><br>
>>><br>
>>>
--<br>
>>>
selinux
mailing list<br>
>>>
<a href="mailto:selinux@lists.fedoraproject.org" target="_blank"></a><a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a><br>
</span>>>>
<mailto:<a href="mailto:selinux@lists.fedoraproject.org" target="_blank"></a><a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>><br>
<span>>>>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank"></a><a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
>><br>
>><br>
>><br>
>><br>
>>
--<br>
>>
selinux
mailing list<br>
>> <a href="mailto:selinux@lists.fedoraproject.org" target="_blank"></a><a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a><br>
</span>>>
<mailto:<a href="mailto:selinux@lists.fedoraproject.org" target="_blank"></a><a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>><br>
<span>>>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank"></a><a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
><br>
><br>
><br>
><br>
> --<br>
> selinux
mailing list<br>
> <a href="mailto:selinux@lists.fedoraproject.org" target="_blank"></a><a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank"></a><a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a><br>
><br>
<br>
</span>What
does<br>
<br>
$ rpm -q
selinux-policy-targeted<br>
<br>
?<br>
<br>
Also could you
try to
reinstall the
selinux-policy-targeted
to see if it<br>
blows up?<br>
<span><font color="#888888"><br>
--<br>
Miroslav Grepl<br>
Senior
Software
Engineer,
SELinux
Solutions<br>
Red Hat, Inc.<br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>--
selinux mailing list
<a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>--
selinux mailing list
<a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>