Please help me in resolving this issue
Daniel J Walsh
dwalsh at redhat.com
Mon Aug 24 11:04:50 UTC 2015
Ok so this is using your own policy. Using system v init usually meant
you went from init_t @ initrc_exec_t -> initrc_t @ mydomain_exec_t ->
mydomain_t
You usually did not transition from the init system directly to the
final domain.
Are your init script labeled initrc_exec_t?
On 08/24/2015 05:15 AM, Srinivasa Rao Ragolu wrote:
> Hi Daniel,
>
> Sure. Sorry for late repoly. I am sharing details now.
>
> As I am using embedded platform, so referring yocto bitbake recipes
> for building selinux layer.
> (ie: http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/selinux)
>
> Policy is targeted/enforcing. version is 2.3.
>
> /root at arm-cortex-a15:~# rpm -qa | grep selinux/
> /packagegroup-selinux-policycoreutils-lic-1.0-r0.cortexa15hf_vfp/
> /packagegroup-core-selinux-lic-1.0-r0.cortexa15hf_vfp/
> /selinux-config-lic-0.1-r4.arm_cortex_a15/
> /libselinux-lic-2.3-r0.cortexa15hf_vfp/
> /selinux-config-0.1-r4.arm_cortex_a15/
> /libselinux-2.3-r0.cortexa15hf_vfp/
> /libselinux-bin-2.3-r0.cortexa15hf_vfp/
> /libselinux-python-2.3-r0.cortexa15hf_vfp/
> /pam-plugin-selinux-1.1.6-r2.4.2.cortexa15hf_vfp/
> /system-config-selinux-2.3-r0.cortexa15hf_vfp/
> /packagegroup-selinux-policycoreutils-1.0-r0.cortexa15hf_vfp/
> /packagegroup-core-selinux-1.0-r0.cortexa15hf_vfp/
>
>
> I am using sysvinit. every daemon is running on its own context.
> Please see attached rootfs log.
>
>
> Thanks and Regards,
> Srinivas.
>
> On Fri, Aug 21, 2015 at 12:49 AM, Daniel J Walsh <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>> wrote:
>
>
>
> On 08/19/2015 11:51 PM, Srinivasa Rao Ragolu wrote:
>> Hi All,
>>
>> Please find the security contexts of necessary files
>>
>> root at arm-cortex-a15:~# sestatus -v
>> SELinux status: enabled
>> SELinuxfs mount: /sys/fs/selinux
>> SELinux root directory: /etc/selinux
>> Loaded policy name: targeted
>> Current mode: permissive
>> Mode from config file: permissive
>> Policy MLS status: enabled
>> Policy deny_unknown status: allowed
>> Max kernel policy version: 28
>>
>> Process contexts:
>> Current context:
>> unconfined_u:unconfined_r:unconfined_t:s0
>> Init context: system_u:system_r:init_t:s0
>>
>> File contexts:
>> Controlling terminal:
>> unconfined_u:object_r:user_tty_device_t:s0
>> /etc/passwd system_u:object_r:etc_t:s0
>> /etc/shadow system_u:object_r:shadow_t:s0
>> /bin/bash system_u:object_r:shell_exec_t:s0
>> /bin/login system_u:object_r:bin_t:s0 ->
>> system_u:object_r:login_exec_t:s0
>> /bin/sh system_u:object_r:bin_t:s0 ->
>> system_u:object_r:shell_exec_t:s0
>> /sbin/init system_u:object_r:bin_t:s0 ->
>> system_u:object_r:init_exec_t:s0
>> /lib/libc.so.6 system_u:object_r:lib_t:s0 ->
>> system_u:object_r:lib_t:s0
>>
>> Do I need to change any of the file contexts to avoid the issue
>> of login failure?
>>
> The problem is the login program is not transitioning from init_t
> to local_login_t.
>
> You never answered the question about what version of selinux-policy
>
> rpm -q selinux-policy
>
> Is this system using systemd?
>
> Are other programs running in different context beside kernel_t
> and init_t?
>
>> Thanks,
>> Srinivas.
>>
>> On Wed, Aug 19, 2015 at 6:05 PM, Srinivasa Rao Ragolu
>> <sragolu at mvista.com <mailto:sragolu at mvista.com>> wrote:
>>
>> As I could not able to login, changed /etc/selinux/config
>> from enforcing to permissive. Executed above commands.
>>
>> On Wed, Aug 19, 2015 at 6:04 PM, Srinivasa Rao Ragolu
>> <sragolu at mvista.com <mailto:sragolu at mvista.com>> wrote:
>>
>> Hi Daniel,
>>
>> Please see the output of security contexts. Also no usr
>> is mounted.
>>
>> root at arm-cortex-a15:~# ls -lZ /bin/login*
>> lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0
>> 17 Aug 18 15:06 /bin/login -> /bin/login.shadow
>> -rwxr-xr-x. 1 root root system_u:object_r:login_exec_t:s0
>> 31756 Aug 12 07:18 /bin/login.shadow
>> root at arm-cortex-a15:~# mount
>> /dev/root on / type ext2 (rw,relatime,seclabel)
>> sysfs on /sys type sysfs (rw,relatime,seclabel)
>> selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
>> proc on /proc type proc (rw,relatime)
>> none on /dev type devtmpfs
>> (rw,relatime,seclabel,size=514956k,nr_inodes=128739,mode=755)
>> devpts on /dev/pts type devpts
>> (rw,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
>> tmpfs on /var/volatile type tmpfs (rw,relatime,seclabel)
>> tmpfs on /media/ram type tmpfs (rw,relatime,seclabel)
>>
>>
>> please guide if you find an clue from above output
>>
>> Thanks,
>> Srinivas.
>>
>>
>> On Wed, Aug 19, 2015 at 12:38 AM, Daniel J Walsh
>> <dwalsh at redhat.com <mailto:dwalsh at redhat.com>> wrote:
>>
>> ls -lZ /usr/bin/login*
>>
>> By any chance is the /usr directory mounted NOSUID?
>>
>>
>> On 08/18/2015 07:58 AM, Srinivasa Rao Ragolu wrote:
>>> Hi,
>>>
>>> I am building for embedded platform. Could not able
>>> to get exact version. But can provide info about
>>> recipe in yocto.
>>>
>>> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/
>>> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb
>>>
>>> Any pointers please?
>>>
>>> Thanks,
>>> Srinivas.
>>>
>>> On Tue, Aug 18, 2015 at 8:17 PM, Miroslav Grepl
>>> <mgrepl at redhat.com <mailto:mgrepl at redhat.com>> wrote:
>>>
>>> On 08/18/2015 04:37 PM, Srinivasa Rao Ragolu wrote:
>>> > Hi Daniel,
>>> >
>>> > I have checked the file_contexts file
>>> >
>>> > * #grep :login_exec_t
>>> contexts/files/file_contexts*
>>> > /bin/login--system_u:object_r:login_exec_t:s0
>>> >
>>> /bin/login\.shadow--system_u:object_r:login_exec_t:s0
>>> >
>>> /bin/login\.tinylogin--system_u:object_r:login_exec_t:s0
>>> >
>>> /usr/kerberos/sbin/login\.krb5--system_u:object_r:login_exec_t:s0
>>> >
>>> > Now If I run with permissive mode. I Could see
>>> below login programs are
>>> > running
>>> > (Here I gave unconfined_r as role and s0 as range)
>>> >
>>> > * 1109 root 3540 S /bin/login --*
>>> > * 1111 root 0 SW [kauditd]*
>>> > * 1113 root 3020 S -sh*
>>> > *
>>> > *
>>> > But when I run with enforcing mode I get same error
>>> >
>>> > /*arm-cortex-a15 login: root*/
>>> > /*Last login: Tue Aug 18 11:36:58 UTC 2015 on
>>> console*/
>>> > /*Would you like to enter a security context?
>>> [N] Y*/
>>> > /*role: unconfined_r*/
>>> > /*level: s0*/
>>> > /*[ 1252.885468] type=1400
>>> audit(1439898856.140:13): avc: denied {
>>> > transition } for pid=1120 comm="login"
>>> path="/bin/bash" dev="mmcblk0"
>>> > ino=58115 scontext=system_u:system_r:init_t:s0
>>> >
>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>> tclass=process*/
>>> > /*[ 1252.887219] type=1400
>>> audit(1439898856.140:14): avc: denied {
>>> > transition } for pid=1120 comm="login"
>>> path="/bin/bash" dev="mmcblk0"
>>> > ino=58115 scontext=system_u:system_r:init_t:s0
>>> >
>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>> tclass=process*/
>>> > /*Cannot execute /bin/sh: Permission denied*/
>>> > /*
>>> > */
>>> > /*MontaVista Carrier Grade Linux 7.0.0
>>> arm-cortex-a15 /dev/console*/
>>> > /*
>>> > */
>>> > /*arm-cortex-a15 login:*/
>>> > /*
>>> > */
>>> > /*
>>> > */
>>> > /Please guide me what is going wrong and how
>>> to resolve this issue./
>>> > /
>>> > /
>>> > /Thanks,/
>>> > /Srinivas./
>>> >
>>> > On Tue, Aug 18, 2015 at 6:52 PM, Daniel J
>>> Walsh <dwalsh at redhat.com <mailto:dwalsh at redhat.com>
>>> > <mailto:dwalsh at redhat.com
>>> <mailto:dwalsh at redhat.com>>> wrote:
>>> >
>>> > What is the path to the login program?
>>> What is it labeled? The
>>> > problem is login is running with the wrong
>>> context.
>>> >
>>> > It should be labeled login_exec_t
>>> >
>>> > grep :login_exec_t
>>> /etc/selinux/targeted/contexts/files/file_contexts
>>> > /bin/login --
>>> system_u:object_r:login_exec_t:s0
>>> > /usr/bin/login --
>>> system_u:object_r:login_exec_t:s0
>>> > /usr/kerberos/sbin/login\.krb5 --
>>> > system_u:object_r:login_exec_t:s0
>>> >
>>> >
>>> > init_t is supposed to transition to
>>> local_login_t when executing the
>>> > login program.
>>> >
>>> >
>>> > On 08/18/2015 06:17 AM, Srinivasa Rao
>>> Ragolu wrote:
>>> >> Hi Daniel,
>>> >>
>>> >> Thanks for quick reply. Please find first
>>> time boot log with
>>> >> lableling and reboot.
>>> >>
>>> >> Also find second time boot log when I
>>> created /.autorelablel.
>>> >>
>>> >> Somehow I could not able to login as root.
>>> >>
>>> >> Your help is really appriciated.
>>> >>
>>> >> Thanks,
>>> >> Srinivas.
>>> >>
>>> >> On Tue, Aug 18, 2015 at 6:16 PM, Daniel J
>>> Walsh <dwalsh at redhat.com <mailto:dwalsh at redhat.com>
>>> >> <mailto:dwalsh at redhat.com
>>> <mailto:dwalsh at redhat.com>>> wrote:
>>> >>
>>> >> Looks like you have a labeling issue.
>>> >>
>>> >> touch /.autorelabel; reboot
>>> >>
>>> >> Should fix the issues.
>>> >>
>>> >>
>>> >>
>>> >> On 08/18/2015 04:53 AM, Srinivasa Rao
>>> Ragolu wrote:
>>> >>> Hi All,
>>> >>>
>>> >>> I have very new to selinux. Today I
>>> have ported selinux to my
>>> >>> embedded platform with targeted
>>> policy+enforcing.
>>> >>>
>>> >>> When I try to boot, it completes
>>> labeling filesystem. But I
>>> >>> could not able to login using root..
>>> See my error log...
>>> >>>
>>> >>> /*arm-cortex-a15 login: root*/
>>> >>> /*Last login: Tue Aug 18 11:36:58
>>> UTC 2015 on console*/
>>> >>> /*Would you like to enter a security
>>> context? [N] Y*/
>>> >>> /*role: unconfined_r*/
>>> >>> /*level: s0*/
>>> >>> /*[ 1252.885468] type=1400
>>> audit(1439898856.140:13): avc:
>>> >>> denied { transition } for pid=1120
>>> comm="login"
>>> >>> path="/bin/bash" dev="mmcblk0" ino=58115
>>> >>> scontext=system_u:system_r:init_t:s0
>>> >>>
>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>> >>> tclass=process*/
>>> >>> /*[ 1252.887219] type=1400
>>> audit(1439898856.140:14): avc:
>>> >>> denied { transition } for pid=1120
>>> comm="login"
>>> >>> path="/bin/bash" dev="mmcblk0" ino=58115
>>> >>> scontext=system_u:system_r:init_t:s0
>>> >>>
>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>> >>> tclass=process*/
>>> >>> /*Cannot execute /bin/sh: Permission
>>> denied*/
>>> >>> /*
>>> >>> */
>>> >>> /*MontaVista Carrier Grade Linux
>>> 7.0.0 arm-cortex-a15
>>> >>> /dev/console*/
>>> >>> /*
>>> >>> */
>>> >>> /*arm-cortex-a15 login:*/
>>> >>> /*
>>> >>> */
>>> >>> Please help me.. How can I solve this
>>> issue and achieve
>>> >>> normal boot.
>>> >>>
>>> >>>
>>> >>> Thanks,
>>> >>> Srinivas.
>>> >>>
>>> >>>
>>> >>> --
>>> >>> selinux mailing list
>>> >>> selinux at lists.fedoraproject.org
>>> <mailto:selinux at lists.fedoraproject.org>
>>> >>>
>>> <mailto:selinux at lists.fedoraproject.org
>>> <mailto:selinux at lists.fedoraproject.org>>
>>> >>>
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> selinux mailing list
>>> >> selinux at lists.fedoraproject.org
>>> <mailto:selinux at lists.fedoraproject.org>
>>> >> <mailto:selinux at lists.fedoraproject.org
>>> <mailto:selinux at lists.fedoraproject.org>>
>>> >>
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > selinux mailing list
>>> > selinux at lists.fedoraproject.org
>>> <mailto:selinux at lists.fedoraproject.org>
>>> >
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> >
>>>
>>> What does
>>>
>>> $ rpm -q selinux-policy-targeted
>>>
>>> ?
>>>
>>> Also could you try to reinstall the
>>> selinux-policy-targeted to see if it
>>> blows up?
>>>
>>> --
>>> Miroslav Grepl
>>> Senior Software Engineer, SELinux Solutions
>>> Red Hat, Inc.
>>>
>>>
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> <mailto:selinux at lists.fedoraproject.org>
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
>>
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> <mailto:selinux at lists.fedoraproject.org>
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150824/d92e64f3/attachment-0001.html>
More information about the selinux
mailing list