Please help me in resolving this issue
Srinivasa Rao Ragolu
sragolu at mvista.com
Wed Aug 19 12:35:38 UTC 2015
As I could not able to login, changed /etc/selinux/config from enforcing to
permissive. Executed above commands.
On Wed, Aug 19, 2015 at 6:04 PM, Srinivasa Rao Ragolu <sragolu at mvista.com>
wrote:
> Hi Daniel,
>
> Please see the output of security contexts. Also no usr is mounted.
>
> root at arm-cortex-a15:~# ls -lZ /bin/login*
> lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 17 Aug 18
> 15:06 /bin/login -> /bin/login.shadow
> -rwxr-xr-x. 1 root root system_u:object_r:login_exec_t:s0 31756 Aug 12
> 07:18 /bin/login.shadow
> root at arm-cortex-a15:~# mount
> /dev/root on / type ext2 (rw,relatime,seclabel)
> sysfs on /sys type sysfs (rw,relatime,seclabel)
> selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
> proc on /proc type proc (rw,relatime)
> none on /dev type devtmpfs
> (rw,relatime,seclabel,size=514956k,nr_inodes=128739,mode=755)
> devpts on /dev/pts type devpts
> (rw,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
> tmpfs on /var/volatile type tmpfs (rw,relatime,seclabel)
> tmpfs on /media/ram type tmpfs (rw,relatime,seclabel)
>
>
> please guide if you find an clue from above output
>
> Thanks,
> Srinivas.
>
>
> On Wed, Aug 19, 2015 at 12:38 AM, Daniel J Walsh <dwalsh at redhat.com>
> wrote:
>
>> ls -lZ /usr/bin/login*
>>
>> By any chance is the /usr directory mounted NOSUID?
>>
>>
>> On 08/18/2015 07:58 AM, Srinivasa Rao Ragolu wrote:
>>
>> Hi,
>>
>> I am building for embedded platform. Could not able to get exact version.
>> But can provide info about recipe in yocto.
>>
>>
>> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/
>>
>> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb
>>
>> Any pointers please?
>>
>> Thanks,
>> Srinivas.
>>
>> On Tue, Aug 18, 2015 at 8:17 PM, Miroslav Grepl <mgrepl at redhat.com>
>> wrote:
>>
>>> On 08/18/2015 04:37 PM, Srinivasa Rao Ragolu wrote:
>>> > Hi Daniel,
>>> >
>>> > I have checked the file_contexts file
>>> >
>>> > * #grep :login_exec_t contexts/files/file_contexts*
>>> > /bin/login--system_u:object_r:login_exec_t:s0
>>> > /bin/login\.shadow--system_u:object_r:login_exec_t:s0
>>> > /bin/login\.tinylogin--system_u:object_r:login_exec_t:s0
>>> > /usr/kerberos/sbin/login\.krb5--system_u:object_r:login_exec_t:s0
>>> >
>>> > Now If I run with permissive mode. I Could see below login programs are
>>> > running
>>> > (Here I gave unconfined_r as role and s0 as range)
>>> >
>>> > * 1109 root 3540 S /bin/login --*
>>> > * 1111 root 0 SW [kauditd]*
>>> > * 1113 root 3020 S -sh*
>>> > *
>>> > *
>>> > But when I run with enforcing mode I get same error
>>> >
>>> > /*arm-cortex-a15 login: root*/
>>> > /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
>>> > /*Would you like to enter a security context? [N] Y*/
>>> > /*role: unconfined_r*/
>>> > /*level: s0*/
>>> > /*[ 1252.885468] type=1400 audit(1439898856.140:13): avc: denied {
>>> > transition } for pid=1120 comm="login" path="/bin/bash" dev="mmcblk0"
>>> > ino=58115 scontext=system_u:system_r:init_t:s0
>>> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
>>> > /*[ 1252.887219] type=1400 audit(1439898856.140:14): avc: denied {
>>> > transition } for pid=1120 comm="login" path="/bin/bash" dev="mmcblk0"
>>> > ino=58115 scontext=system_u:system_r:init_t:s0
>>> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
>>> > /*Cannot execute /bin/sh: Permission denied*/
>>> > /*
>>> > */
>>> > /*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15 /dev/console*/
>>> > /*
>>> > */
>>> > /*arm-cortex-a15 login:*/
>>> > /*
>>> > */
>>> > /*
>>> > */
>>> > /Please guide me what is going wrong and how to resolve this issue./
>>> > /
>>> > /
>>> > /Thanks,/
>>> > /Srinivas./
>>> >
>>> > On Tue, Aug 18, 2015 at 6:52 PM, Daniel J Walsh < <dwalsh at redhat.com>
>>> dwalsh at redhat.com
>>> > <mailto: <dwalsh at redhat.com>dwalsh at redhat.com>> wrote:
>>> >
>>> > What is the path to the login program? What is it labeled? The
>>> > problem is login is running with the wrong context.
>>> >
>>> > It should be labeled login_exec_t
>>> >
>>> > grep :login_exec_t
>>> /etc/selinux/targeted/contexts/files/file_contexts
>>> > /bin/login -- system_u:object_r:login_exec_t:s0
>>> > /usr/bin/login -- system_u:object_r:login_exec_t:s0
>>> > /usr/kerberos/sbin/login\.krb5 --
>>> > system_u:object_r:login_exec_t:s0
>>> >
>>> >
>>> > init_t is supposed to transition to local_login_t when executing
>>> the
>>> > login program.
>>> >
>>> >
>>> > On 08/18/2015 06:17 AM, Srinivasa Rao Ragolu wrote:
>>> >> Hi Daniel,
>>> >>
>>> >> Thanks for quick reply. Please find first time boot log with
>>> >> lableling and reboot.
>>> >>
>>> >> Also find second time boot log when I created /.autorelablel.
>>> >>
>>> >> Somehow I could not able to login as root.
>>> >>
>>> >> Your help is really appriciated.
>>> >>
>>> >> Thanks,
>>> >> Srinivas.
>>> >>
>>> >> On Tue, Aug 18, 2015 at 6:16 PM, Daniel J Walsh <
>>> dwalsh at redhat.com
>>> >> <mailto: <dwalsh at redhat.com>dwalsh at redhat.com>> wrote:
>>> >>
>>> >> Looks like you have a labeling issue.
>>> >>
>>> >> touch /.autorelabel; reboot
>>> >>
>>> >> Should fix the issues.
>>> >>
>>> >>
>>> >>
>>> >> On 08/18/2015 04:53 AM, Srinivasa Rao Ragolu wrote:
>>> >>> Hi All,
>>> >>>
>>> >>> I have very new to selinux. Today I have ported selinux to my
>>> >>> embedded platform with targeted policy+enforcing.
>>> >>>
>>> >>> When I try to boot, it completes labeling filesystem. But I
>>> >>> could not able to login using root.. See my error log...
>>> >>>
>>> >>> /*arm-cortex-a15 login: root*/
>>> >>> /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
>>> >>> /*Would you like to enter a security context? [N] Y*/
>>> >>> /*role: unconfined_r*/
>>> >>> /*level: s0*/
>>> >>> /*[ 1252.885468] type=1400 audit(1439898856.140:13): avc:
>>> >>> denied { transition } for pid=1120 comm="login"
>>> >>> path="/bin/bash" dev="mmcblk0" ino=58115
>>> >>> scontext=system_u:system_r:init_t:s0
>>> >>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>> >>> tclass=process*/
>>> >>> /*[ 1252.887219] type=1400 audit(1439898856.140:14): avc:
>>> >>> denied { transition } for pid=1120 comm="login"
>>> >>> path="/bin/bash" dev="mmcblk0" ino=58115
>>> >>> scontext=system_u:system_r:init_t:s0
>>> >>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>> >>> tclass=process*/
>>> >>> /*Cannot execute /bin/sh: Permission denied*/
>>> >>> /*
>>> >>> */
>>> >>> /*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15
>>> >>> /dev/console*/
>>> >>> /*
>>> >>> */
>>> >>> /*arm-cortex-a15 login:*/
>>> >>> /*
>>> >>> */
>>> >>> Please help me.. How can I solve this issue and achieve
>>> >>> normal boot.
>>> >>>
>>> >>>
>>> >>> Thanks,
>>> >>> Srinivas.
>>> >>>
>>> >>>
>>> >>> --
>>> >>> selinux mailing list
>>> >>> selinux at lists.fedoraproject.org
>>> >>> <mailto: <selinux at lists.fedoraproject.org>
>>> selinux at lists.fedoraproject.org>
>>> >>> <https://admin.fedoraproject.org/mailman/listinfo/selinux>
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> selinux mailing list
>>> >> selinux at lists.fedoraproject.org
>>> >> <mailto:selinux at lists.fedoraproject.org>
>>> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > selinux mailing list
>>> > selinux at lists.fedoraproject.org
>>> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> >
>>>
>>> What does
>>>
>>> $ rpm -q selinux-policy-targeted
>>>
>>> ?
>>>
>>> Also could you try to reinstall the selinux-policy-targeted to see if it
>>> blows up?
>>>
>>> --
>>> Miroslav Grepl
>>> Senior Software Engineer, SELinux Solutions
>>> Red Hat, Inc.
>>>
>>
>>
>>
>> --
>> selinux mailing listselinux at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150819/c6d4f59b/attachment.html>
More information about the selinux
mailing list