Please help me in resolving this issue

Daniel J Walsh dwalsh at redhat.com
Tue Aug 18 19:08:38 UTC 2015 

ls -lZ /usr/bin/login*

By any chance is the /usr directory mounted NOSUID?

On 08/18/2015 07:58 AM, Srinivasa Rao Ragolu wrote:
> Hi,
>
> I am building for embedded platform. Could not able to get exact
> version. But can provide info about recipe in yocto.
>
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb
>
> Any pointers please?
>
> Thanks,
> Srinivas.
>
> On Tue, Aug 18, 2015 at 8:17 PM, Miroslav Grepl <mgrepl at redhat.com
> <mailto:mgrepl at redhat.com>> wrote:
>
>     On 08/18/2015 04:37 PM, Srinivasa Rao Ragolu wrote:
>     > Hi Daniel,
>     >
>     > I have checked the file_contexts file
>     >
>     > * #grep :login_exec_t contexts/files/file_contexts*
>     > /bin/login--system_u:object_r:login_exec_t:s0
>     > /bin/login\.shadow--system_u:object_r:login_exec_t:s0
>     > /bin/login\.tinylogin--system_u:object_r:login_exec_t:s0
>     > /usr/kerberos/sbin/login\.krb5--system_u:object_r:login_exec_t:s0
>     >
>     > Now If I run with permissive mode. I Could see below login
>     programs are
>     > running
>     > (Here I gave unconfined_r as role and s0 as range)
>     >
>     > * 1109 root      3540 S    /bin/login --*
>     > * 1111 root         0 SW   [kauditd]*
>     > * 1113 root      3020 S    -sh*
>     > *
>     > *
>     > But when I run with enforcing mode I get same error
>     >
>     > /*arm-cortex-a15 login: root*/
>     > /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
>     > /*Would you like to enter a security context? [N]  Y*/
>     > /*role: unconfined_r*/
>     > /*level: s0*/
>     > /*[ 1252.885468] type=1400 audit(1439898856.140:13): avc:  denied  {
>     > transition } for  pid=1120 comm="login" path="/bin/bash" dev="mmcblk0"
>     > ino=58115 scontext=system_u:system_r:init_t:s0
>     > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
>     > /*[ 1252.887219] type=1400 audit(1439898856.140:14): avc:  denied  {
>     > transition } for  pid=1120 comm="login" path="/bin/bash" dev="mmcblk0"
>     > ino=58115 scontext=system_u:system_r:init_t:s0
>     > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
>     > /*Cannot execute /bin/sh: Permission denied*/
>     > /*
>     > */
>     > /*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15 /dev/console*/
>     > /*
>     > */
>     > /*arm-cortex-a15 login:*/
>     > /*
>     > */
>     > /*
>     > */
>     > /Please guide me what is going wrong and how to resolve this issue./
>     > /
>     > /
>     > /Thanks,/
>     > /Srinivas./
>     >
>     > On Tue, Aug 18, 2015 at 6:52 PM, Daniel J Walsh
>     <dwalsh at redhat.com <mailto:dwalsh at redhat.com>
>     > <mailto:dwalsh at redhat.com <mailto:dwalsh at redhat.com>>> wrote:
>     >
>     >     What is the path to the login program?  What is it labeled?  The
>     >     problem is login is running with the wrong context.
>     >
>     >     It should be labeled login_exec_t
>     >
>     >     grep :login_exec_t
>     /etc/selinux/targeted/contexts/files/file_contexts
>     >     /bin/login    --    system_u:object_r:login_exec_t:s0
>     >     /usr/bin/login    --    system_u:object_r:login_exec_t:s0
>     >     /usr/kerberos/sbin/login\.krb5    --
>     >     system_u:object_r:login_exec_t:s0
>     >
>     >
>     >     init_t is supposed to transition to local_login_t when
>     executing the
>     >     login program.
>     >
>     >
>     >     On 08/18/2015 06:17 AM, Srinivasa Rao Ragolu wrote:
>     >>     Hi Daniel,
>     >>
>     >>     Thanks for quick reply. Please find first time boot log with
>     >>     lableling and reboot.
>     >>
>     >>     Also find second time boot log when I created /.autorelablel.
>     >>
>     >>     Somehow I could not able to login as root.
>     >>
>     >>     Your help is really appriciated.
>     >>
>     >>     Thanks,
>     >>     Srinivas.
>     >>
>     >>     On Tue, Aug 18, 2015 at 6:16 PM, Daniel J Walsh
>     <dwalsh at redhat.com <mailto:dwalsh at redhat.com>
>     >>     <mailto:dwalsh at redhat.com <mailto:dwalsh at redhat.com>>> wrote:
>     >>
>     >>         Looks like you have a labeling issue.
>     >>
>     >>         touch /.autorelabel; reboot
>     >>
>     >>         Should fix the issues.
>     >>
>     >>
>     >>
>     >>         On 08/18/2015 04:53 AM, Srinivasa Rao Ragolu wrote:
>     >>>         Hi All,
>     >>>
>     >>>         I have very new to selinux. Today I have ported
>     selinux to my
>     >>>         embedded platform with targeted policy+enforcing.
>     >>>
>     >>>         When I try to boot, it completes labeling filesystem.
>     But I
>     >>>         could not able to login using root.. See my error log...
>     >>>
>     >>>         /*arm-cortex-a15 login: root*/
>     >>>         /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
>     >>>         /*Would you like to enter a security context? [N]  Y*/
>     >>>         /*role: unconfined_r*/
>     >>>         /*level: s0*/
>     >>>         /*[ 1252.885468] type=1400 audit(1439898856.140:13): avc:
>     >>>          denied  { transition } for  pid=1120 comm="login"
>     >>>         path="/bin/bash" dev="mmcblk0" ino=58115
>     >>>         scontext=system_u:system_r:init_t:s0
>     >>>         tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>     >>>         tclass=process*/
>     >>>         /*[ 1252.887219] type=1400 audit(1439898856.140:14): avc:
>     >>>          denied  { transition } for  pid=1120 comm="login"
>     >>>         path="/bin/bash" dev="mmcblk0" ino=58115
>     >>>         scontext=system_u:system_r:init_t:s0
>     >>>         tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>     >>>         tclass=process*/
>     >>>         /*Cannot execute /bin/sh: Permission denied*/
>     >>>         /*
>     >>>         */
>     >>>         /*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15
>     >>>         /dev/console*/
>     >>>         /*
>     >>>         */
>     >>>         /*arm-cortex-a15 login:*/
>     >>>         /*
>     >>>         */
>     >>>         Please help me.. How can I solve this issue and achieve
>     >>>         normal boot.
>     >>>
>     >>>
>     >>>         Thanks,
>     >>>         Srinivas.
>     >>>
>     >>>
>     >>>         --
>     >>>         selinux mailing list
>     >>>         selinux at lists.fedoraproject.org
>     <mailto:selinux at lists.fedoraproject.org>
>     >>>         <mailto:selinux at lists.fedoraproject.org
>     <mailto:selinux at lists.fedoraproject.org>>
>     >>>         https://admin.fedoraproject.org/mailman/listinfo/selinux
>     >>
>     >>
>     >>
>     >>
>     >>     --
>     >>     selinux mailing list
>     >>     selinux at lists.fedoraproject.org
>     <mailto:selinux at lists.fedoraproject.org>
>     >>     <mailto:selinux at lists.fedoraproject.org
>     <mailto:selinux at lists.fedoraproject.org>>
>     >>     https://admin.fedoraproject.org/mailman/listinfo/selinux
>     >
>     >
>     >
>     >
>     > --
>     > selinux mailing list
>     > selinux at lists.fedoraproject.org
>     <mailto:selinux at lists.fedoraproject.org>
>     > https://admin.fedoraproject.org/mailman/listinfo/selinux
>     >
>
>     What does
>
>     $ rpm -q selinux-policy-targeted
>
>     ?
>
>     Also could you try to reinstall the selinux-policy-targeted to see
>     if it
>     blows up?
>
>     --
>     Miroslav Grepl
>     Senior Software Engineer, SELinux Solutions
>     Red Hat, Inc.
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150818/0ba62438/attachment-0001.html>

More information about the selinux mailing list