Please help me in resolving this issue
Srinivasa Rao Ragolu
sragolu at mvista.com
Tue Aug 18 14:58:10 UTC 2015
Hi,
I am building for embedded platform. Could not able to get exact version.
But can provide info about recipe in yocto.
http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/
http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb
Any pointers please?
Thanks,
Srinivas.
On Tue, Aug 18, 2015 at 8:17 PM, Miroslav Grepl <mgrepl at redhat.com> wrote:
> On 08/18/2015 04:37 PM, Srinivasa Rao Ragolu wrote:
> > Hi Daniel,
> >
> > I have checked the file_contexts file
> >
> > * #grep :login_exec_t contexts/files/file_contexts*
> > /bin/login--system_u:object_r:login_exec_t:s0
> > /bin/login\.shadow--system_u:object_r:login_exec_t:s0
> > /bin/login\.tinylogin--system_u:object_r:login_exec_t:s0
> > /usr/kerberos/sbin/login\.krb5--system_u:object_r:login_exec_t:s0
> >
> > Now If I run with permissive mode. I Could see below login programs are
> > running
> > (Here I gave unconfined_r as role and s0 as range)
> >
> > * 1109 root 3540 S /bin/login --*
> > * 1111 root 0 SW [kauditd]*
> > * 1113 root 3020 S -sh*
> > *
> > *
> > But when I run with enforcing mode I get same error
> >
> > /*arm-cortex-a15 login: root*/
> > /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
> > /*Would you like to enter a security context? [N] Y*/
> > /*role: unconfined_r*/
> > /*level: s0*/
> > /*[ 1252.885468] type=1400 audit(1439898856.140:13): avc: denied {
> > transition } for pid=1120 comm="login" path="/bin/bash" dev="mmcblk0"
> > ino=58115 scontext=system_u:system_r:init_t:s0
> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
> > /*[ 1252.887219] type=1400 audit(1439898856.140:14): avc: denied {
> > transition } for pid=1120 comm="login" path="/bin/bash" dev="mmcblk0"
> > ino=58115 scontext=system_u:system_r:init_t:s0
> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
> > /*Cannot execute /bin/sh: Permission denied*/
> > /*
> > */
> > /*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15 /dev/console*/
> > /*
> > */
> > /*arm-cortex-a15 login:*/
> > /*
> > */
> > /*
> > */
> > /Please guide me what is going wrong and how to resolve this issue./
> > /
> > /
> > /Thanks,/
> > /Srinivas./
> >
> > On Tue, Aug 18, 2015 at 6:52 PM, Daniel J Walsh <dwalsh at redhat.com
> > <mailto:dwalsh at redhat.com>> wrote:
> >
> > What is the path to the login program? What is it labeled? The
> > problem is login is running with the wrong context.
> >
> > It should be labeled login_exec_t
> >
> > grep :login_exec_t /etc/selinux/targeted/contexts/files/file_contexts
> > /bin/login -- system_u:object_r:login_exec_t:s0
> > /usr/bin/login -- system_u:object_r:login_exec_t:s0
> > /usr/kerberos/sbin/login\.krb5 --
> > system_u:object_r:login_exec_t:s0
> >
> >
> > init_t is supposed to transition to local_login_t when executing the
> > login program.
> >
> >
> > On 08/18/2015 06:17 AM, Srinivasa Rao Ragolu wrote:
> >> Hi Daniel,
> >>
> >> Thanks for quick reply. Please find first time boot log with
> >> lableling and reboot.
> >>
> >> Also find second time boot log when I created /.autorelablel.
> >>
> >> Somehow I could not able to login as root.
> >>
> >> Your help is really appriciated.
> >>
> >> Thanks,
> >> Srinivas.
> >>
> >> On Tue, Aug 18, 2015 at 6:16 PM, Daniel J Walsh <dwalsh at redhat.com
> >> <mailto:dwalsh at redhat.com>> wrote:
> >>
> >> Looks like you have a labeling issue.
> >>
> >> touch /.autorelabel; reboot
> >>
> >> Should fix the issues.
> >>
> >>
> >>
> >> On 08/18/2015 04:53 AM, Srinivasa Rao Ragolu wrote:
> >>> Hi All,
> >>>
> >>> I have very new to selinux. Today I have ported selinux to my
> >>> embedded platform with targeted policy+enforcing.
> >>>
> >>> When I try to boot, it completes labeling filesystem. But I
> >>> could not able to login using root.. See my error log...
> >>>
> >>> /*arm-cortex-a15 login: root*/
> >>> /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
> >>> /*Would you like to enter a security context? [N] Y*/
> >>> /*role: unconfined_r*/
> >>> /*level: s0*/
> >>> /*[ 1252.885468] type=1400 audit(1439898856.140:13): avc:
> >>> denied { transition } for pid=1120 comm="login"
> >>> path="/bin/bash" dev="mmcblk0" ino=58115
> >>> scontext=system_u:system_r:init_t:s0
> >>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
> >>> tclass=process*/
> >>> /*[ 1252.887219] type=1400 audit(1439898856.140:14): avc:
> >>> denied { transition } for pid=1120 comm="login"
> >>> path="/bin/bash" dev="mmcblk0" ino=58115
> >>> scontext=system_u:system_r:init_t:s0
> >>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
> >>> tclass=process*/
> >>> /*Cannot execute /bin/sh: Permission denied*/
> >>> /*
> >>> */
> >>> /*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15
> >>> /dev/console*/
> >>> /*
> >>> */
> >>> /*arm-cortex-a15 login:*/
> >>> /*
> >>> */
> >>> Please help me.. How can I solve this issue and achieve
> >>> normal boot.
> >>>
> >>>
> >>> Thanks,
> >>> Srinivas.
> >>>
> >>>
> >>> --
> >>> selinux mailing list
> >>> selinux at lists.fedoraproject.org
> >>> <mailto:selinux at lists.fedoraproject.org>
> >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>
> >>
> >>
> >>
> >> --
> >> selinux mailing list
> >> selinux at lists.fedoraproject.org
> >> <mailto:selinux at lists.fedoraproject.org>
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
> >
> >
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
>
> What does
>
> $ rpm -q selinux-policy-targeted
>
> ?
>
> Also could you try to reinstall the selinux-policy-targeted to see if it
> blows up?
>
> --
> Miroslav Grepl
> Senior Software Engineer, SELinux Solutions
> Red Hat, Inc.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150818/94891e85/attachment.html>
More information about the selinux
mailing list