Please help me in resolving this issue

Srinivasa Rao Ragolu sragolu at mvista.com
Tue Aug 18 14:37:58 UTC 2015 

Hi Daniel,

I have checked the file_contexts file

* #grep :login_exec_t contexts/files/file_contexts*
/bin/login -- system_u:object_r:login_exec_t:s0
/bin/login\.shadow -- system_u:object_r:login_exec_t:s0
/bin/login\.tinylogin -- system_u:object_r:login_exec_t:s0
/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t:s0

Now If I run with permissive mode. I Could see below login programs are
running
(Here I gave unconfined_r as role and s0 as range)

* 1109 root      3540 S    /bin/login --*
* 1111 root         0 SW   [kauditd]*
* 1113 root      3020 S    -sh*

But when I run with enforcing mode I get same error

*arm-cortex-a15 login: root*
*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*
*Would you like to enter a security context? [N]  Y*
*role: unconfined_r*
*level: s0*
*[ 1252.885468] type=1400 audit(1439898856.140:13): avc:  denied  {
transition } for  pid=1120 comm="login" path="/bin/bash" dev="mmcblk0"
ino=58115 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*
*[ 1252.887219] type=1400 audit(1439898856.140:14): avc:  denied  {
transition } for  pid=1120 comm="login" path="/bin/bash" dev="mmcblk0"
ino=58115 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*
*Cannot execute /bin/sh: Permission denied*

*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15 /dev/console*

*arm-cortex-a15 login:*


*Please guide me what is going wrong and how to resolve this issue.*

*Thanks,*
*Srinivas.*

On Tue, Aug 18, 2015 at 6:52 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:

> What is the path to the login program?  What is it labeled?  The problem
> is login is running with the wrong context.
>
> It should be labeled login_exec_t
>
> grep :login_exec_t /etc/selinux/targeted/contexts/files/file_contexts
> /bin/login    --    system_u:object_r:login_exec_t:s0
> /usr/bin/login    --    system_u:object_r:login_exec_t:s0
> /usr/kerberos/sbin/login\.krb5    --    system_u:object_r:login_exec_t:s0
>
>
> init_t is supposed to transition to local_login_t when executing the login
> program.
>
>
> On 08/18/2015 06:17 AM, Srinivasa Rao Ragolu wrote:
>
> Hi Daniel,
>
> Thanks for quick reply. Please find first time boot log with lableling and
> reboot.
>
> Also find second time boot log when I created /.autorelablel.
>
> Somehow I could not able to login as root.
>
> Your help is really appriciated.
>
> Thanks,
> Srinivas.
>
> On Tue, Aug 18, 2015 at 6:16 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>> Looks like you have a labeling issue.
>>
>> touch /.autorelabel; reboot
>>
>> Should fix the issues.
>>
>>
>>
>> On 08/18/2015 04:53 AM, Srinivasa Rao Ragolu wrote:
>>
>> Hi All,
>>
>> I have very new to selinux. Today I have ported selinux to my embedded
>> platform with targeted policy+enforcing.
>>
>> When I try to boot, it completes labeling filesystem. But I could not
>> able to login using root.. See my error log...
>>
>> *arm-cortex-a15 login: root*
>> *Last login: Tue Aug 18 11:36:58 UTC 2015 on console*
>> *Would you like to enter a security context? [N]  Y*
>> *role: unconfined_r*
>> *level: s0*
>> *[ 1252.885468] type=1400 audit(1439898856.140:13): avc:  denied  {
>> transition } for  pid=1120 comm="login" path="/bin/bash" dev="mmcblk0"
>> ino=58115 scontext=system_u:system_r:init_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*
>> *[ 1252.887219] type=1400 audit(1439898856.140:14): avc:  denied  {
>> transition } for  pid=1120 comm="login" path="/bin/bash" dev="mmcblk0"
>> ino=58115 scontext=system_u:system_r:init_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*
>> *Cannot execute /bin/sh: Permission denied*
>>
>> *MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15 /dev/console*
>>
>> *arm-cortex-a15 login:*
>>
>> Please help me.. How can I solve this issue and achieve normal boot.
>>
>>
>> Thanks,
>> Srinivas.
>>
>>
>> --
>> selinux mailing listselinux at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
>
>
> --
> selinux mailing listselinux at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150818/252b5ce6/attachment.html>

More information about the selinux mailing list