Please help me in resolving this issue
Srinivasa Rao Ragolu
sragolu at mvista.com
Mon Aug 24 09:15:19 UTC 2015
Hi Daniel,
Sure. Sorry for late repoly. I am sharing details now.
As I am using embedded platform, so referring yocto bitbake recipes for
building selinux layer. (ie:
http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/selinux
)
Policy is targeted/enforcing. version is 2.3.
*root at arm-cortex-a15:~# rpm -qa | grep selinux*
*packagegroup-selinux-policycoreutils-lic-1.0-r0.cortexa15hf_vfp*
*packagegroup-core-selinux-lic-1.0-r0.cortexa15hf_vfp*
*selinux-config-lic-0.1-r4.arm_cortex_a15*
*libselinux-lic-2.3-r0.cortexa15hf_vfp*
*selinux-config-0.1-r4.arm_cortex_a15*
*libselinux-2.3-r0.cortexa15hf_vfp*
*libselinux-bin-2.3-r0.cortexa15hf_vfp*
*libselinux-python-2.3-r0.cortexa15hf_vfp*
*pam-plugin-selinux-1.1.6-r2.4.2.cortexa15hf_vfp*
*system-config-selinux-2.3-r0.cortexa15hf_vfp*
*packagegroup-selinux-policycoreutils-1.0-r0.cortexa15hf_vfp*
*packagegroup-core-selinux-1.0-r0.cortexa15hf_vfp*
I am using sysvinit. every daemon is running on its own context. Please see
attached rootfs log.
Thanks and Regards,
Srinivas.
On Fri, Aug 21, 2015 at 12:49 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>
> On 08/19/2015 11:51 PM, Srinivasa Rao Ragolu wrote:
>
> Hi All,
>
> Please find the security contexts of necessary files
>
> root at arm-cortex-a15:~# sestatus -v
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: targeted
> Current mode: permissive
> Mode from config file: permissive
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Max kernel policy version: 28
>
> Process contexts:
> Current context: unconfined_u:unconfined_r:unconfined_t:s0
> Init context: system_u:system_r:init_t:s0
>
> File contexts:
> Controlling terminal: unconfined_u:object_r:user_tty_device_t:s0
> /etc/passwd system_u:object_r:etc_t:s0
> /etc/shadow system_u:object_r:shadow_t:s0
> /bin/bash system_u:object_r:shell_exec_t:s0
> /bin/login system_u:object_r:bin_t:s0 ->
> system_u:object_r:login_exec_t:s0
> /bin/sh system_u:object_r:bin_t:s0 ->
> system_u:object_r:shell_exec_t:s0
> /sbin/init system_u:object_r:bin_t:s0 ->
> system_u:object_r:init_exec_t:s0
> /lib/libc.so.6 system_u:object_r:lib_t:s0 ->
> system_u:object_r:lib_t:s0
>
> Do I need to change any of the file contexts to avoid the issue of login
> failure?
>
> The problem is the login program is not transitioning from init_t to
> local_login_t.
>
> You never answered the question about what version of selinux-policy
>
> rpm -q selinux-policy
>
> Is this system using systemd?
>
> Are other programs running in different context beside kernel_t and init_t?
>
> Thanks,
> Srinivas.
>
> On Wed, Aug 19, 2015 at 6:05 PM, Srinivasa Rao Ragolu <
> <sragolu at mvista.com>sragolu at mvista.com> wrote:
>
>> As I could not able to login, changed /etc/selinux/config from enforcing
>> to permissive. Executed above commands.
>>
>> On Wed, Aug 19, 2015 at 6:04 PM, Srinivasa Rao Ragolu <
>> <sragolu at mvista.com>sragolu at mvista.com> wrote:
>>
>>> Hi Daniel,
>>>
>>> Please see the output of security contexts. Also no usr is mounted.
>>>
>>> root at arm-cortex-a15:~# ls -lZ /bin/login*
>>> lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 17 Aug 18
>>> 15:06 /bin/login -> /bin/login.shadow
>>> -rwxr-xr-x. 1 root root system_u:object_r:login_exec_t:s0 31756 Aug 12
>>> 07:18 /bin/login.shadow
>>> root at arm-cortex-a15:~# mount
>>> /dev/root on / type ext2 (rw,relatime,seclabel)
>>> sysfs on /sys type sysfs (rw,relatime,seclabel)
>>> selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
>>> proc on /proc type proc (rw,relatime)
>>> none on /dev type devtmpfs
>>> (rw,relatime,seclabel,size=514956k,nr_inodes=128739,mode=755)
>>> devpts on /dev/pts type devpts
>>> (rw,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
>>> tmpfs on /var/volatile type tmpfs (rw,relatime,seclabel)
>>> tmpfs on /media/ram type tmpfs (rw,relatime,seclabel)
>>>
>>>
>>> please guide if you find an clue from above output
>>>
>>> Thanks,
>>> Srinivas.
>>>
>>>
>>> On Wed, Aug 19, 2015 at 12:38 AM, Daniel J Walsh <dwalsh at redhat.com>
>>> wrote:
>>>
>>>> ls -lZ /usr/bin/login*
>>>>
>>>> By any chance is the /usr directory mounted NOSUID?
>>>>
>>>>
>>>> On 08/18/2015 07:58 AM, Srinivasa Rao Ragolu wrote:
>>>>
>>>> Hi,
>>>>
>>>> I am building for embedded platform. Could not able to get exact
>>>> version. But can provide info about recipe in yocto.
>>>>
>>>>
>>>> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/
>>>>
>>>> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb
>>>>
>>>> Any pointers please?
>>>>
>>>> Thanks,
>>>> Srinivas.
>>>>
>>>> On Tue, Aug 18, 2015 at 8:17 PM, Miroslav Grepl < <mgrepl at redhat.com>
>>>> mgrepl at redhat.com> wrote:
>>>>
>>>>> On 08/18/2015 04:37 PM, Srinivasa Rao Ragolu wrote:
>>>>> > Hi Daniel,
>>>>> >
>>>>> > I have checked the file_contexts file
>>>>> >
>>>>> > * #grep :login_exec_t contexts/files/file_contexts*
>>>>> > /bin/login--system_u:object_r:login_exec_t:s0
>>>>> > /bin/login\.shadow--system_u:object_r:login_exec_t:s0
>>>>> > /bin/login\.tinylogin--system_u:object_r:login_exec_t:s0
>>>>> > /usr/kerberos/sbin/login\.krb5--system_u:object_r:login_exec_t:s0
>>>>> >
>>>>> > Now If I run with permissive mode. I Could see below login programs
>>>>> are
>>>>> > running
>>>>> > (Here I gave unconfined_r as role and s0 as range)
>>>>> >
>>>>> > * 1109 root 3540 S /bin/login --*
>>>>> > * 1111 root 0 SW [kauditd]*
>>>>> > * 1113 root 3020 S -sh*
>>>>> > *
>>>>> > *
>>>>> > But when I run with enforcing mode I get same error
>>>>> >
>>>>> > /*arm-cortex-a15 login: root*/
>>>>> > /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
>>>>> > /*Would you like to enter a security context? [N] Y*/
>>>>> > /*role: unconfined_r*/
>>>>> > /*level: s0*/
>>>>> > /*[ 1252.885468] type=1400 audit(1439898856.140:13): avc: denied {
>>>>> > transition } for pid=1120 comm="login" path="/bin/bash"
>>>>> dev="mmcblk0"
>>>>> > ino=58115 scontext=system_u:system_r:init_t:s0
>>>>> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
>>>>> > /*[ 1252.887219] type=1400 audit(1439898856.140:14): avc: denied {
>>>>> > transition } for pid=1120 comm="login" path="/bin/bash"
>>>>> dev="mmcblk0"
>>>>> > ino=58115 scontext=system_u:system_r:init_t:s0
>>>>> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
>>>>> > /*Cannot execute /bin/sh: Permission denied*/
>>>>> > /*
>>>>> > */
>>>>> > /*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15 /dev/console*/
>>>>> > /*
>>>>> > */
>>>>> > /*arm-cortex-a15 login:*/
>>>>> > /*
>>>>> > */
>>>>> > /*
>>>>> > */
>>>>> > /Please guide me what is going wrong and how to resolve this issue./
>>>>> > /
>>>>> > /
>>>>> > /Thanks,/
>>>>> > /Srinivas./
>>>>> >
>>>>> > On Tue, Aug 18, 2015 at 6:52 PM, Daniel J Walsh <
>>>>> <dwalsh at redhat.com>dwalsh at redhat.com
>>>>> > <mailto: <dwalsh at redhat.com>dwalsh at redhat.com>> wrote:
>>>>> >
>>>>> > What is the path to the login program? What is it labeled? The
>>>>> > problem is login is running with the wrong context.
>>>>> >
>>>>> > It should be labeled login_exec_t
>>>>> >
>>>>> > grep :login_exec_t
>>>>> /etc/selinux/targeted/contexts/files/file_contexts
>>>>> > /bin/login -- system_u:object_r:login_exec_t:s0
>>>>> > /usr/bin/login -- system_u:object_r:login_exec_t:s0
>>>>> > /usr/kerberos/sbin/login\.krb5 --
>>>>> > system_u:object_r:login_exec_t:s0
>>>>> >
>>>>> >
>>>>> > init_t is supposed to transition to local_login_t when executing
>>>>> the
>>>>> > login program.
>>>>> >
>>>>> >
>>>>> > On 08/18/2015 06:17 AM, Srinivasa Rao Ragolu wrote:
>>>>> >> Hi Daniel,
>>>>> >>
>>>>> >> Thanks for quick reply. Please find first time boot log with
>>>>> >> lableling and reboot.
>>>>> >>
>>>>> >> Also find second time boot log when I created /.autorelablel.
>>>>> >>
>>>>> >> Somehow I could not able to login as root.
>>>>> >>
>>>>> >> Your help is really appriciated.
>>>>> >>
>>>>> >> Thanks,
>>>>> >> Srinivas.
>>>>> >>
>>>>> >> On Tue, Aug 18, 2015 at 6:16 PM, Daniel J Walsh <
>>>>> <dwalsh at redhat.com>dwalsh at redhat.com
>>>>> >> <mailto: <dwalsh at redhat.com>dwalsh at redhat.com>> wrote:
>>>>> >>
>>>>> >> Looks like you have a labeling issue.
>>>>> >>
>>>>> >> touch /.autorelabel; reboot
>>>>> >>
>>>>> >> Should fix the issues.
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> On 08/18/2015 04:53 AM, Srinivasa Rao Ragolu wrote:
>>>>> >>> Hi All,
>>>>> >>>
>>>>> >>> I have very new to selinux. Today I have ported selinux to
>>>>> my
>>>>> >>> embedded platform with targeted policy+enforcing.
>>>>> >>>
>>>>> >>> When I try to boot, it completes labeling filesystem. But I
>>>>> >>> could not able to login using root.. See my error log...
>>>>> >>>
>>>>> >>> /*arm-cortex-a15 login: root*/
>>>>> >>> /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
>>>>> >>> /*Would you like to enter a security context? [N] Y*/
>>>>> >>> /*role: unconfined_r*/
>>>>> >>> /*level: s0*/
>>>>> >>> /*[ 1252.885468] type=1400 audit(1439898856.140:13): avc:
>>>>> >>> denied { transition } for pid=1120 comm="login"
>>>>> >>> path="/bin/bash" dev="mmcblk0" ino=58115
>>>>> >>> scontext=system_u:system_r:init_t:s0
>>>>> >>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>>>> >>> tclass=process*/
>>>>> >>> /*[ 1252.887219] type=1400 audit(1439898856.140:14): avc:
>>>>> >>> denied { transition } for pid=1120 comm="login"
>>>>> >>> path="/bin/bash" dev="mmcblk0" ino=58115
>>>>> >>> scontext=system_u:system_r:init_t:s0
>>>>> >>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>>>> >>> tclass=process*/
>>>>> >>> /*Cannot execute /bin/sh: Permission denied*/
>>>>> >>> /*
>>>>> >>> */
>>>>> >>> /*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15
>>>>> >>> /dev/console*/
>>>>> >>> /*
>>>>> >>> */
>>>>> >>> /*arm-cortex-a15 login:*/
>>>>> >>> /*
>>>>> >>> */
>>>>> >>> Please help me.. How can I solve this issue and achieve
>>>>> >>> normal boot.
>>>>> >>>
>>>>> >>>
>>>>> >>> Thanks,
>>>>> >>> Srinivas.
>>>>> >>>
>>>>> >>>
>>>>> >>> --
>>>>> >>> selinux mailing list
>>>>> >>> <selinux at lists.fedoraproject.org>
>>>>> selinux at lists.fedoraproject.org
>>>>> >>> <mailto: <selinux at lists.fedoraproject.org>
>>>>> selinux at lists.fedoraproject.org>
>>>>> >>>
>>>>> <https://admin.fedoraproject.org/mailman/listinfo/selinux>
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> --
>>>>> >> selinux mailing list
>>>>> >> <selinux at lists.fedoraproject.org>
>>>>> selinux at lists.fedoraproject.org
>>>>> >> <mailto: <selinux at lists.fedoraproject.org>
>>>>> selinux at lists.fedoraproject.org>
>>>>> >> <https://admin.fedoraproject.org/mailman/listinfo/selinux>
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > --
>>>>> > selinux mailing list
>>>>> > <selinux at lists.fedoraproject.org>selinux at lists.fedoraproject.org
>>>>> > <https://admin.fedoraproject.org/mailman/listinfo/selinux>
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>> >
>>>>>
>>>>> What does
>>>>>
>>>>> $ rpm -q selinux-policy-targeted
>>>>>
>>>>> ?
>>>>>
>>>>> Also could you try to reinstall the selinux-policy-targeted to see if
>>>>> it
>>>>> blows up?
>>>>>
>>>>> --
>>>>> Miroslav Grepl
>>>>> Senior Software Engineer, SELinux Solutions
>>>>> Red Hat, Inc.
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> selinux mailing listselinux at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>>
>>>
>>
>
>
> --
> selinux mailing listselinux at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150824/31c506dc/attachment-0001.html>
-------------- next part --------------
INIT: version 2.88 booting
[ 4.602759] type=1400 audit(1440407426.800:4): avc: denied { write } for pid=676 comm="mount" name="utab" dev="mmcblk0" ino=65424 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
[ 6.393126] type=1400 audit(1440407428.590:5): avc: denied { write } for pid=691 comm="mount" name="utab" dev="mmcblk0" ino=65424 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Starting udev
Error opening /dev/fb0: No such device or address
[ 7.208149] type=1400 audit(1440407429.410:6): avc: denied { write } for pid=708 comm="mount" name="utab" dev="mmcblk0" ino=65424 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
[ 8.034049] udevd[715]: starting version 182
[ 23.874584] type=1400 audit(1440407446.070:7): avc: denied { write } for pid=925 comm="mount" name="utab" dev="mmcblk0" ino=65424 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Starting Bootlog daemon: bootlogd: cannot allocate pseudo tty: No such file or directory
bootlogd.
Configuring network interfaces... [ 32.527342] smsc911x smsc911x eth0: SMSC911x/921x identified at 0xc08c0000, IRQ: 47
udhcpc (v1.20.2) started
Sending discover...
Sending select for 10.162.103.201...
Lease of 10.162.103.201 obtained, lease time 86400
/etc/udhcpc.d/50default: Adding DNS 10.162.0.5
/etc/udhcpc.d/50default: Adding DNS 10.0.0.5
done.
INIT: Entering runlevel: 5
Starting system message bus: dbus.
Starting sssd: [ 37.929106] type=1400 audit(1440407459.680:8): avc: denied { search } for pid=1057 comm="sssd" name="sssd" dev="tmpfs" ino=1620 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:initrc_var_log_t:s0 tclass=dir
[FAILED]
Starting Distributed Compiler Daemon: distcc.
+ NAME=nslcd
+ CONFIG=/etc/nslcd.conf
+ DAEMON=/usr/sbin/nslcd
+ DESC='LDAP connection daemon'
+ STATEDIR=/var/run/nslcd
+ PIDFILE=/var/run/nslcd/nslcd.pid
+ case "$1" in
+ start
+ '[' -e /var/run/nslcd/nslcd.pid ']'
+ echo -n 'Starting LDAP connection daemon...'
Starting LDAP connection daemon...+ start-stop-daemon --start --oknodo --pidfile /var/run/nslcd/nslcd.pid --startas /usr/sbin/nslcd
[ 39.279207] type=1400 audit(1440407460.840:9): avc: denied { read } for pid=1068 comm="nslcd" path="pipe:[1650]" dev="pipefs" ino=1650 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:system_r:nslcd_t:s0 tclass=fifo_file
+ '[' 1 -eq 0 ']'
+ echo failed.
failed.
+ exit 0
[ 39.391855] type=1400 audit(1440407460.950:10): avc: denied { write } for pid=1070 comm="nslcd" path="pipe:[1650]" dev="pipefs" ino=1650 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:system_r:nslcd_t:s0 tclass=fifo_file
[ 39.392909] type=1400 audit(1440407460.950:11): avc: denied { write } for pid=1070 comm="nslcd" path="pipe:[1650]" dev="pipefs" ino=1650 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:system_r:nslcd_t:s0 tclass=fifo_file
Starting syslogd/klogd: done
[ 40.559745] type=1400 audit(1440407462.120:12): avc: denied { write } for pid=1097 comm="avahi-daemon" name="log" dev="devtmpfs" ino=1689 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file
[ 40.569915] type=1400 audit(1440407462.130:13): avc: denied { write } for pid=1097 comm="avahi-daemon" name="log" dev="devtmpfs" ino=1689 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file
[ 40.578343] type=1400 audit(1440407462.140:14): avc: denied { write } for pid=1097 comm="avahi-daemon" name="log" dev="devtmpfs" ino=1689 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file
Stopping Bootlog daemon: bootlogd.
MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15 /dev/console
arm-cortex-a15 login: root
Last login: Mon Aug 24 09:11:27 UTC 2015 on console
Would you like to enter a security context? [N] Y
role: unconfined_r
level: s0
[ 95.528284] type=1400 audit(1440407517.090:15): avc: denied { transition } for pid=1118 comm="login" path="/bin/bash" dev="mmcblk0" ino=58131 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
[ 95.530047] type=1400 audit(1440407517.090:16): avc: denied { transition } for pid=1118 comm="login" path="/bin/bash" dev="mmcblk0" ino=58131 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
Cannot execute /bin/sh: Permission denied
MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15 /dev/console
arm-cortex-a15 login:
More information about the selinux
mailing list