Hi Daniel,
I have checked the file_contexts file
* #grep :login_exec_t contexts/files/file_contexts*
/bin/login--system_u:object_r:login_exec_t:s0
/bin/login\.shadow--system_u:object_r:login_exec_t:s0
/bin/login\.tinylogin--system_u:object_r:login_exec_t:s0
/usr/kerberos/sbin/login\.krb5--system_u:object_r:login_exec_t:s0
Now If I run with permissive mode. I Could see below login programs are
running
(Here I gave unconfined_r as role and s0 as range)
* 1109 root 3540 S /bin/login --*
* 1111 root 0 SW [kauditd]*
* 1113 root 3020 S -sh*
*
*
But when I run with enforcing mode I get same error
/*arm-cortex-a15 login: root*/
/*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
/*Would you like to enter a security context? [N] Y*/
/*role: unconfined_r*/
/*level: s0*/
/*[ 1252.885468] type=1400 audit(1439898856.140:13): avc: denied {
transition } for pid=1120 comm="login" path="/bin/bash"
dev="mmcblk0"
ino=58115 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
/*[ 1252.887219] type=1400 audit(1439898856.140:14): avc: denied {
transition } for pid=1120 comm="login" path="/bin/bash"
dev="mmcblk0"
ino=58115 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
/*Cannot execute /bin/sh: Permission denied*/
/*
*/
/*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15 /dev/console*/
/*
*/
/*arm-cortex-a15 login:*/
/*
*/
/*
*/
/Please guide me what is going wrong and how to resolve this issue./
/
/
/Thanks,/
/Srinivas./
On Tue, Aug 18, 2015 at 6:52 PM, Daniel J Walsh <dwalsh(a)redhat.com
<mailto:dwalsh@redhat.com>> wrote:
What is the path to the login program? What is it labeled? The
problem is login is running with the wrong context.
It should be labeled login_exec_t
grep :login_exec_t /etc/selinux/targeted/contexts/files/file_contexts
/bin/login -- system_u:object_r:login_exec_t:s0
/usr/bin/login -- system_u:object_r:login_exec_t:s0
/usr/kerberos/sbin/login\.krb5 --
system_u:object_r:login_exec_t:s0
init_t is supposed to transition to local_login_t when executing the
login program.
On 08/18/2015 06:17 AM, Srinivasa Rao Ragolu wrote:
> Hi Daniel,
>
> Thanks for quick reply. Please find first time boot log with
> lableling and reboot.
>
> Also find second time boot log when I created /.autorelablel.
>
> Somehow I could not able to login as root.
>
> Your help is really appriciated.
>
> Thanks,
> Srinivas.
>
> On Tue, Aug 18, 2015 at 6:16 PM, Daniel J Walsh <dwalsh(a)redhat.com
> <mailto:dwalsh@redhat.com>> wrote:
>
> Looks like you have a labeling issue.
>
> touch /.autorelabel; reboot
>
> Should fix the issues.
>
>
>
> On 08/18/2015 04:53 AM, Srinivasa Rao Ragolu wrote:
>> Hi All,
>>
>> I have very new to selinux. Today I have ported selinux to my
>> embedded platform with targeted policy+enforcing.
>>
>> When I try to boot, it completes labeling filesystem. But I
>> could not able to login using root.. See my error log...
>>
>> /*arm-cortex-a15 login: root*/
>> /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
>> /*Would you like to enter a security context? [N] Y*/
>> /*role: unconfined_r*/
>> /*level: s0*/
>> /*[ 1252.885468] type=1400 audit(1439898856.140:13): avc:
>> denied { transition } for pid=1120 comm="login"
>> path="/bin/bash" dev="mmcblk0" ino=58115
>> scontext=system_u:system_r:init_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>> tclass=process*/
>> /*[ 1252.887219] type=1400 audit(1439898856.140:14): avc:
>> denied { transition } for pid=1120 comm="login"
>> path="/bin/bash" dev="mmcblk0" ino=58115
>> scontext=system_u:system_r:init_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>> tclass=process*/
>> /*Cannot execute /bin/sh: Permission denied*/
>> /*
>> */
>> /*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15
>> /dev/console*/
>> /*
>> */
>> /*arm-cortex-a15 login:*/
>> /*
>> */
>> Please help me.. How can I solve this issue and achieve
>> normal boot.
>>
>>
>> Thanks,
>> Srinivas.
>>
>>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>> <mailto:selinux@lists.fedoraproject.org>
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> <mailto:selinux@lists.fedoraproject.org>
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
What does
$ rpm -q selinux-policy-targeted
?
Also could you try to reinstall the selinux-policy-targeted to see if it
blows up?
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.