Please help me in resolving this issue
Daniel J Walsh
dwalsh at redhat.com
Thu Aug 20 19:19:27 UTC 2015
On 08/19/2015 11:51 PM, Srinivasa Rao Ragolu wrote:
> Hi All,
>
> Please find the security contexts of necessary files
>
> root at arm-cortex-a15:~# sestatus -v
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: targeted
> Current mode: permissive
> Mode from config file: permissive
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Max kernel policy version: 28
>
> Process contexts:
> Current context: unconfined_u:unconfined_r:unconfined_t:s0
> Init context: system_u:system_r:init_t:s0
>
> File contexts:
> Controlling terminal: unconfined_u:object_r:user_tty_device_t:s0
> /etc/passwd system_u:object_r:etc_t:s0
> /etc/shadow system_u:object_r:shadow_t:s0
> /bin/bash system_u:object_r:shell_exec_t:s0
> /bin/login system_u:object_r:bin_t:s0 ->
> system_u:object_r:login_exec_t:s0
> /bin/sh system_u:object_r:bin_t:s0 ->
> system_u:object_r:shell_exec_t:s0
> /sbin/init system_u:object_r:bin_t:s0 ->
> system_u:object_r:init_exec_t:s0
> /lib/libc.so.6 system_u:object_r:lib_t:s0 ->
> system_u:object_r:lib_t:s0
>
> Do I need to change any of the file contexts to avoid the issue of
> login failure?
>
The problem is the login program is not transitioning from init_t to
local_login_t.
You never answered the question about what version of selinux-policy
rpm -q selinux-policy
Is this system using systemd?
Are other programs running in different context beside kernel_t and init_t?
> Thanks,
> Srinivas.
>
> On Wed, Aug 19, 2015 at 6:05 PM, Srinivasa Rao Ragolu
> <sragolu at mvista.com <mailto:sragolu at mvista.com>> wrote:
>
> As I could not able to login, changed /etc/selinux/config from
> enforcing to permissive. Executed above commands.
>
> On Wed, Aug 19, 2015 at 6:04 PM, Srinivasa Rao Ragolu
> <sragolu at mvista.com <mailto:sragolu at mvista.com>> wrote:
>
> Hi Daniel,
>
> Please see the output of security contexts. Also no usr is
> mounted.
>
> root at arm-cortex-a15:~# ls -lZ /bin/login*
> lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0
> 17 Aug 18 15:06 /bin/login -> /bin/login.shadow
> -rwxr-xr-x. 1 root root system_u:object_r:login_exec_t:s0
> 31756 Aug 12 07:18 /bin/login.shadow
> root at arm-cortex-a15:~# mount
> /dev/root on / type ext2 (rw,relatime,seclabel)
> sysfs on /sys type sysfs (rw,relatime,seclabel)
> selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
> proc on /proc type proc (rw,relatime)
> none on /dev type devtmpfs
> (rw,relatime,seclabel,size=514956k,nr_inodes=128739,mode=755)
> devpts on /dev/pts type devpts
> (rw,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
> tmpfs on /var/volatile type tmpfs (rw,relatime,seclabel)
> tmpfs on /media/ram type tmpfs (rw,relatime,seclabel)
>
>
> please guide if you find an clue from above output
>
> Thanks,
> Srinivas.
>
>
> On Wed, Aug 19, 2015 at 12:38 AM, Daniel J Walsh
> <dwalsh at redhat.com <mailto:dwalsh at redhat.com>> wrote:
>
> ls -lZ /usr/bin/login*
>
> By any chance is the /usr directory mounted NOSUID?
>
>
> On 08/18/2015 07:58 AM, Srinivasa Rao Ragolu wrote:
>> Hi,
>>
>> I am building for embedded platform. Could not able to
>> get exact version. But can provide info about recipe in
>> yocto.
>>
>> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/
>> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb
>>
>> Any pointers please?
>>
>> Thanks,
>> Srinivas.
>>
>> On Tue, Aug 18, 2015 at 8:17 PM, Miroslav Grepl
>> <mgrepl at redhat.com <mailto:mgrepl at redhat.com>> wrote:
>>
>> On 08/18/2015 04:37 PM, Srinivasa Rao Ragolu wrote:
>> > Hi Daniel,
>> >
>> > I have checked the file_contexts file
>> >
>> > * #grep :login_exec_t contexts/files/file_contexts*
>> > /bin/login--system_u:object_r:login_exec_t:s0
>> > /bin/login\.shadow--system_u:object_r:login_exec_t:s0
>> >
>> /bin/login\.tinylogin--system_u:object_r:login_exec_t:s0
>> >
>> /usr/kerberos/sbin/login\.krb5--system_u:object_r:login_exec_t:s0
>> >
>> > Now If I run with permissive mode. I Could see
>> below login programs are
>> > running
>> > (Here I gave unconfined_r as role and s0 as range)
>> >
>> > * 1109 root 3540 S /bin/login --*
>> > * 1111 root 0 SW [kauditd]*
>> > * 1113 root 3020 S -sh*
>> > *
>> > *
>> > But when I run with enforcing mode I get same error
>> >
>> > /*arm-cortex-a15 login: root*/
>> > /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
>> > /*Would you like to enter a security context? [N] Y*/
>> > /*role: unconfined_r*/
>> > /*level: s0*/
>> > /*[ 1252.885468] type=1400
>> audit(1439898856.140:13): avc: denied {
>> > transition } for pid=1120 comm="login" path="/bin/bash"
>> dev="mmcblk0"
>> > ino=58115 scontext=system_u:system_r:init_t:s0
>> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>> tclass=process*/
>> > /*[ 1252.887219] type=1400
>> audit(1439898856.140:14): avc: denied {
>> > transition } for pid=1120 comm="login" path="/bin/bash"
>> dev="mmcblk0"
>> > ino=58115 scontext=system_u:system_r:init_t:s0
>> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>> tclass=process*/
>> > /*Cannot execute /bin/sh: Permission denied*/
>> > /*
>> > */
>> > /*MontaVista Carrier Grade Linux 7.0.0
>> arm-cortex-a15 /dev/console*/
>> > /*
>> > */
>> > /*arm-cortex-a15 login:*/
>> > /*
>> > */
>> > /*
>> > */
>> > /Please guide me what is going wrong and how to
>> resolve this issue./
>> > /
>> > /
>> > /Thanks,/
>> > /Srinivas./
>> >
>> > On Tue, Aug 18, 2015 at 6:52 PM, Daniel J Walsh
>> <dwalsh at redhat.com <mailto:dwalsh at redhat.com>
>> > <mailto:dwalsh at redhat.com
>> <mailto:dwalsh at redhat.com>>> wrote:
>> >
>> > What is the path to the login program? What is
>> it labeled? The
>> > problem is login is running with the wrong context.
>> >
>> > It should be labeled login_exec_t
>> >
>> > grep :login_exec_t
>> /etc/selinux/targeted/contexts/files/file_contexts
>> > /bin/login --
>> system_u:object_r:login_exec_t:s0
>> > /usr/bin/login --
>> system_u:object_r:login_exec_t:s0
>> > /usr/kerberos/sbin/login\.krb5 --
>> > system_u:object_r:login_exec_t:s0
>> >
>> >
>> > init_t is supposed to transition to
>> local_login_t when executing the
>> > login program.
>> >
>> >
>> > On 08/18/2015 06:17 AM, Srinivasa Rao Ragolu wrote:
>> >> Hi Daniel,
>> >>
>> >> Thanks for quick reply. Please find first time
>> boot log with
>> >> lableling and reboot.
>> >>
>> >> Also find second time boot log when I created
>> /.autorelablel.
>> >>
>> >> Somehow I could not able to login as root.
>> >>
>> >> Your help is really appriciated.
>> >>
>> >> Thanks,
>> >> Srinivas.
>> >>
>> >> On Tue, Aug 18, 2015 at 6:16 PM, Daniel J
>> Walsh <dwalsh at redhat.com <mailto:dwalsh at redhat.com>
>> >> <mailto:dwalsh at redhat.com
>> <mailto:dwalsh at redhat.com>>> wrote:
>> >>
>> >> Looks like you have a labeling issue.
>> >>
>> >> touch /.autorelabel; reboot
>> >>
>> >> Should fix the issues.
>> >>
>> >>
>> >>
>> >> On 08/18/2015 04:53 AM, Srinivasa Rao
>> Ragolu wrote:
>> >>> Hi All,
>> >>>
>> >>> I have very new to selinux. Today I have
>> ported selinux to my
>> >>> embedded platform with targeted
>> policy+enforcing.
>> >>>
>> >>> When I try to boot, it completes labeling
>> filesystem. But I
>> >>> could not able to login using root.. See
>> my error log...
>> >>>
>> >>> /*arm-cortex-a15 login: root*/
>> >>> /*Last login: Tue Aug 18 11:36:58 UTC
>> 2015 on console*/
>> >>> /*Would you like to enter a security
>> context? [N] Y*/
>> >>> /*role: unconfined_r*/
>> >>> /*level: s0*/
>> >>> /*[ 1252.885468] type=1400
>> audit(1439898856.140:13): avc:
>> >>> denied { transition } for pid=1120 comm="login"
>> >>> path="/bin/bash" dev="mmcblk0" ino=58115
>> >>> scontext=system_u:system_r:init_t:s0
>> >>>
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>> >>> tclass=process*/
>> >>> /*[ 1252.887219] type=1400
>> audit(1439898856.140:14): avc:
>> >>> denied { transition } for pid=1120 comm="login"
>> >>> path="/bin/bash" dev="mmcblk0" ino=58115
>> >>> scontext=system_u:system_r:init_t:s0
>> >>>
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>> >>> tclass=process*/
>> >>> /*Cannot execute /bin/sh: Permission denied*/
>> >>> /*
>> >>> */
>> >>> /*MontaVista Carrier Grade Linux 7.0.0
>> arm-cortex-a15
>> >>> /dev/console*/
>> >>> /*
>> >>> */
>> >>> /*arm-cortex-a15 login:*/
>> >>> /*
>> >>> */
>> >>> Please help me.. How can I solve this issue and achieve
>> >>> normal boot.
>> >>>
>> >>>
>> >>> Thanks,
>> >>> Srinivas.
>> >>>
>> >>>
>> >>> --
>> >>> selinux mailing list
>> >>> selinux at lists.fedoraproject.org
>> <mailto:selinux at lists.fedoraproject.org>
>> >>> <mailto:selinux at lists.fedoraproject.org
>> <mailto:selinux at lists.fedoraproject.org>>
>> >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> selinux mailing list
>> >> selinux at lists.fedoraproject.org
>> <mailto:selinux at lists.fedoraproject.org>
>> >> <mailto:selinux at lists.fedoraproject.org
>> <mailto:selinux at lists.fedoraproject.org>>
>> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> >
>> >
>> >
>> >
>> > --
>> > selinux mailing list
>> > selinux at lists.fedoraproject.org
>> <mailto:selinux at lists.fedoraproject.org>
>> >
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> >
>>
>> What does
>>
>> $ rpm -q selinux-policy-targeted
>>
>> ?
>>
>> Also could you try to reinstall the
>> selinux-policy-targeted to see if it
>> blows up?
>>
>> --
>> Miroslav Grepl
>> Senior Software Engineer, SELinux Solutions
>> Red Hat, Inc.
>>
>>
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> <mailto:selinux at lists.fedoraproject.org>
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150820/cc1b3523/attachment.html>
More information about the selinux
mailing list