Please help me in resolving this issue
Daniel J Walsh
dwalsh at redhat.com
Tue Aug 25 10:06:55 UTC 2015
Looking at Fedora policy I see
sesearch -T -t login_exec_t
Found 4 semantic te rules:
type_transition rlogind_t login_exec_t : process remote_login_t;
type_transition telnetd_t login_exec_t : process remote_login_t;
type_transition getty_t login_exec_t : process local_login_t;
type_transition kmscon_t login_exec_t : process local_login_t;
Which means only getty_t and kmscon_t transition to local_login_t
Then looking at getty_exec_t I see.
sesearch -T -t getty_exec_t
Found 8 semantic te rules:
type_transition kdumpctl_t getty_exec_t : process getty_t;
type_transition piranha_pulse_t getty_exec_t : process getty_t;
type_transition initrc_t getty_exec_t : process getty_t;
type_transition condor_startd_t getty_exec_t : process getty_t;
type_transition glusterd_t getty_exec_t : process getty_t;
type_transition openshift_initrc_t getty_exec_t : process getty_t;
type_transition init_t getty_exec_t : process getty_t;
type_transition cluster_t getty_exec_t : process getty_t;
Which shows init_t transitioning to getty_t via getty_exec_t
# grep getty_exec_t /etc/selinux/targeted/contexts/files/file_contexts
/sbin/.*getty -- system_u:object_r:getty_exec_t:s0
/usr/sbin/.*getty -- system_u:object_r:getty_exec_t:s0
So on fedora the init system executes /usr/sbin/.*getty which should
transition to getty_t.
We are obviously not seeing this on your platform.
On 08/24/2015 08:09 AM, Srinivasa Rao Ragolu wrote:
> Hi Daniel,
>
> See the contexts of init scripts
>
> *******************************************
> root at arm-cortex-a15:~# ls -Z /etc/rc5.d/
> system_u:object_r:etc_t:s0 S02dbus-1
> system_u:object_r:etc_t:s0 S02sssd
> system_u:object_r:etc_t:s0 S20distcc
> system_u:object_r:etc_t:s0 S20hwclock.sh
> system_u:object_r:etc_t:s0 S20nslcd
> system_u:object_r:etc_t:s0 S20syslog
> system_u:object_r:etc_t:s0 S21avahi-daemon
> system_u:object_r:etc_t:s0 S99rmnologin.sh
> system_u:object_r:etc_t:s0 S99stop-bootlogd
> root at arm-cortex-a15:~# ls -Z /etc/init.d
> system_u:object_r:initrc_exec_t:s0 0selinux-init
> system_u:object_r:initrc_exec_t:s0 alignment.sh
> system_u:object_r:avahi_initrc_exec_t:s0 avahi-daemon
> system_u:object_r:initrc_exec_t:s0 banner.sh
> system_u:object_r:initrc_exec_t:s0 bootlogd
> system_u:object_r:initrc_exec_t:s0 bootmisc.sh
> system_u:object_r:initrc_exec_t:s0 checkroot.sh
> system_u:object_r:initrc_exec_t:s0 dbus-1
> system_u:object_r:initrc_exec_t:s0 devpts.sh
> system_u:object_r:initrc_exec_t:s0 distcc
> system_u:object_r:etc_t:s0 functions
> system_u:object_r:initrc_exec_t:s0 functions.initscripts
> system_u:object_r:initrc_exec_t:s0 functions.lsbinitscripts
> system_u:object_r:initrc_exec_t:s0 halt
> system_u:object_r:initrc_exec_t:s0 hostname.sh
> system_u:object_r:initrc_exec_t:s0 hwclock.sh
> ************************************************************************
>
> /etc/inittab file l0:0:wait:/etc/init.d/rc 0
> *******************************************
> # /etc/inittab: init(8) configuration.
> # $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $
>
> # The default runlevel.
> id:5:initdefault:
>
> # Boot-time system configuration/initialization script.
> # This is run first except when booting in emergency (-b) mode.
> si::sysinit:/etc/init.d/rcS
>
> # What to do in single-user mode.
> ~~:S:wait:/sbin/sulogin
>
> # /etc/init.d executes the S and K scripts upon change
> # of runlevel.
> #
> # Runlevel 0 is halt.
> # Runlevel 1 is single-user.
> # Runlevels 2-5 are multi-user.
> # Runlevel 6 is reboot.
> l1:1:wait:/etc/init.d/rc 1
> l2:2:wait:/etc/init.d/rc 2
> l3:3:wait:/etc/init.d/rc 3
> l4:4:wait:/etc/init.d/rc 4
> l5:5:wait:/etc/init.d/rc 5
> l6:6:wait:/etc/init.d/rc 6
> # Normally not reached, but fallthrough in case of emergency.
> z6:6:respawn:/sbin/sulogin
> con:2345:respawn:/sbin/getty console
> ********************************************
>
>
> I am not pretty sure which version of policy it is using, but from
> built recipes. But referred yocto link and provided you version.
>
> How this issue of labelling can be resolved?
>
> Thanks,
> Srinivas.
>
> On Mon, Aug 24, 2015 at 4:34 PM, Daniel J Walsh <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>> wrote:
>
> Ok so this is using your own policy. Using system v init usually
> meant you went from init_t @ initrc_exec_t -> initrc_t @
> mydomain_exec_t -> mydomain_t
>
> You usually did not transition from the init system directly to
> the final domain.
>
> Are your init script labeled initrc_exec_t?
>
>
>
> On 08/24/2015 05:15 AM, Srinivasa Rao Ragolu wrote:
>> Hi Daniel,
>>
>> Sure. Sorry for late repoly. I am sharing details now.
>>
>> As I am using embedded platform, so referring yocto bitbake
>> recipes for building selinux layer.
>> (ie: http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/selinux)
>>
>> Policy is targeted/enforcing. version is 2.3.
>>
>> /root at arm-cortex-a15:~# rpm -qa | grep selinux/
>> /packagegroup-selinux-policycoreutils-lic-1.0-r0.cortexa15hf_vfp/
>> /packagegroup-core-selinux-lic-1.0-r0.cortexa15hf_vfp/
>> /selinux-config-lic-0.1-r4.arm_cortex_a15/
>> /libselinux-lic-2.3-r0.cortexa15hf_vfp/
>> /selinux-config-0.1-r4.arm_cortex_a15/
>> /libselinux-2.3-r0.cortexa15hf_vfp/
>> /libselinux-bin-2.3-r0.cortexa15hf_vfp/
>> /libselinux-python-2.3-r0.cortexa15hf_vfp/
>> /pam-plugin-selinux-1.1.6-r2.4.2.cortexa15hf_vfp/
>> /system-config-selinux-2.3-r0.cortexa15hf_vfp/
>> /packagegroup-selinux-policycoreutils-1.0-r0.cortexa15hf_vfp/
>> /packagegroup-core-selinux-1.0-r0.cortexa15hf_vfp/
>>
>>
>> I am using sysvinit. every daemon is running on its own context.
>> Please see attached rootfs log.
>>
>>
>> Thanks and Regards,
>> Srinivas.
>>
>> On Fri, Aug 21, 2015 at 12:49 AM, Daniel J Walsh
>> <dwalsh at redhat.com <mailto:dwalsh at redhat.com>> wrote:
>>
>>
>>
>> On 08/19/2015 11:51 PM, Srinivasa Rao Ragolu wrote:
>>> Hi All,
>>>
>>> Please find the security contexts of necessary files
>>>
>>> root at arm-cortex-a15:~# sestatus -v
>>> SELinux status: enabled
>>> SELinuxfs mount: /sys/fs/selinux
>>> SELinux root directory: /etc/selinux
>>> Loaded policy name: targeted
>>> Current mode: permissive
>>> Mode from config file: permissive
>>> Policy MLS status: enabled
>>> Policy deny_unknown status: allowed
>>> Max kernel policy version: 28
>>>
>>> Process contexts:
>>> Current context:
>>> unconfined_u:unconfined_r:unconfined_t:s0
>>> Init context: system_u:system_r:init_t:s0
>>>
>>> File contexts:
>>> Controlling terminal:
>>> unconfined_u:object_r:user_tty_device_t:s0
>>> /etc/passwd system_u:object_r:etc_t:s0
>>> /etc/shadow system_u:object_r:shadow_t:s0
>>> /bin/bash
>>> system_u:object_r:shell_exec_t:s0
>>> /bin/login system_u:object_r:bin_t:s0
>>> -> system_u:object_r:login_exec_t:s0
>>> /bin/sh system_u:object_r:bin_t:s0
>>> -> system_u:object_r:shell_exec_t:s0
>>> /sbin/init system_u:object_r:bin_t:s0
>>> -> system_u:object_r:init_exec_t:s0
>>> /lib/libc.so.6 system_u:object_r:lib_t:s0
>>> -> system_u:object_r:lib_t:s0
>>>
>>> Do I need to change any of the file contexts to avoid the
>>> issue of login failure?
>>>
>> The problem is the login program is not transitioning from
>> init_t to local_login_t.
>>
>> You never answered the question about what version of
>> selinux-policy
>>
>> rpm -q selinux-policy
>>
>> Is this system using systemd?
>>
>> Are other programs running in different context beside
>> kernel_t and init_t?
>>
>>> Thanks,
>>> Srinivas.
>>>
>>> On Wed, Aug 19, 2015 at 6:05 PM, Srinivasa Rao Ragolu
>>> <sragolu at mvista.com <mailto:sragolu at mvista.com>> wrote:
>>>
>>> As I could not able to login, changed
>>> /etc/selinux/config from enforcing to permissive.
>>> Executed above commands.
>>>
>>> On Wed, Aug 19, 2015 at 6:04 PM, Srinivasa Rao Ragolu
>>> <sragolu at mvista.com <mailto:sragolu at mvista.com>> wrote:
>>>
>>> Hi Daniel,
>>>
>>> Please see the output of security contexts. Also no
>>> usr is mounted.
>>>
>>> root at arm-cortex-a15:~# ls -lZ /bin/login*
>>> lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0
>>> 17 Aug 18 15:06 /bin/login -> /bin/login.shadow
>>> -rwxr-xr-x. 1 root root
>>> system_u:object_r:login_exec_t:s0 31756 Aug 12 07:18
>>> /bin/login.shadow
>>> root at arm-cortex-a15:~# mount
>>> /dev/root on / type ext2 (rw,relatime,seclabel)
>>> sysfs on /sys type sysfs (rw,relatime,seclabel)
>>> selinuxfs on /sys/fs/selinux type selinuxfs
>>> (rw,relatime)
>>> proc on /proc type proc (rw,relatime)
>>> none on /dev type devtmpfs
>>> (rw,relatime,seclabel,size=514956k,nr_inodes=128739,mode=755)
>>> devpts on /dev/pts type devpts
>>> (rw,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
>>> tmpfs on /var/volatile type tmpfs (rw,relatime,seclabel)
>>> tmpfs on /media/ram type tmpfs (rw,relatime,seclabel)
>>>
>>>
>>> please guide if you find an clue from above output
>>>
>>> Thanks,
>>> Srinivas.
>>>
>>>
>>> On Wed, Aug 19, 2015 at 12:38 AM, Daniel J Walsh
>>> <dwalsh at redhat.com <mailto:dwalsh at redhat.com>> wrote:
>>>
>>> ls -lZ /usr/bin/login*
>>>
>>> By any chance is the /usr directory mounted NOSUID?
>>>
>>>
>>> On 08/18/2015 07:58 AM, Srinivasa Rao Ragolu wrote:
>>>> Hi,
>>>>
>>>> I am building for embedded platform. Could not
>>>> able to get exact version. But can provide info
>>>> about recipe in yocto.
>>>>
>>>> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/
>>>> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/refpolicy/refpolicy-targeted_git.bb
>>>>
>>>> Any pointers please?
>>>>
>>>> Thanks,
>>>> Srinivas.
>>>>
>>>> On Tue, Aug 18, 2015 at 8:17 PM, Miroslav Grepl
>>>> <mgrepl at redhat.com <mailto:mgrepl at redhat.com>>
>>>> wrote:
>>>>
>>>> On 08/18/2015 04:37 PM, Srinivasa Rao
>>>> Ragolu wrote:
>>>> > Hi Daniel,
>>>> >
>>>> > I have checked the file_contexts file
>>>> >
>>>> > * #grep :login_exec_t
>>>> contexts/files/file_contexts*
>>>> > /bin/login--system_u:object_r:login_exec_t:s0
>>>> >
>>>> /bin/login\.shadow--system_u:object_r:login_exec_t:s0
>>>> >
>>>> /bin/login\.tinylogin--system_u:object_r:login_exec_t:s0
>>>> >
>>>> /usr/kerberos/sbin/login\.krb5--system_u:object_r:login_exec_t:s0
>>>> >
>>>> > Now If I run with permissive mode. I
>>>> Could see below login programs are
>>>> > running
>>>> > (Here I gave unconfined_r as role and s0
>>>> as range)
>>>> >
>>>> > * 1109 root 3540 S /bin/login --*
>>>> > * 1111 root 0 SW [kauditd]*
>>>> > * 1113 root 3020 S -sh*
>>>> > *
>>>> > *
>>>> > But when I run with enforcing mode I get same
>>>> error
>>>> >
>>>> > /*arm-cortex-a15 login: root*/
>>>> > /*Last login: Tue Aug 18 11:36:58 UTC
>>>> 2015 on console*/
>>>> > /*Would you like to enter a security
>>>> context? [N] Y*/
>>>> > /*role: unconfined_r*/
>>>> > /*level: s0*/
>>>> > /*[ 1252.885468] type=1400
>>>> audit(1439898856.140:13): avc: denied {
>>>> > transition } for pid=1120 comm="login"
>>>> path="/bin/bash" dev="mmcblk0"
>>>> > ino=58115
>>>> scontext=system_u:system_r:init_t:s0
>>>> >
>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>>> tclass=process*/
>>>> > /*[ 1252.887219] type=1400
>>>> audit(1439898856.140:14): avc: denied {
>>>> > transition } for pid=1120 comm="login"
>>>> path="/bin/bash" dev="mmcblk0"
>>>> > ino=58115
>>>> scontext=system_u:system_r:init_t:s0
>>>> >
>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>>> tclass=process*/
>>>> > /*Cannot execute /bin/sh: Permission denied*/
>>>> > /*
>>>> > */
>>>> > /*MontaVista Carrier Grade Linux 7.0.0
>>>> arm-cortex-a15 /dev/console*/
>>>> > /*
>>>> > */
>>>> > /*arm-cortex-a15 login:*/
>>>> > /*
>>>> > */
>>>> > /*
>>>> > */
>>>> > /Please guide me what is going wrong and
>>>> how to resolve this issue./
>>>> > /
>>>> > /
>>>> > /Thanks,/
>>>> > /Srinivas./
>>>> >
>>>> > On Tue, Aug 18, 2015 at 6:52 PM, Daniel J
>>>> Walsh <dwalsh at redhat.com
>>>> <mailto:dwalsh at redhat.com>
>>>> > <mailto:dwalsh at redhat.com
>>>> <mailto:dwalsh at redhat.com>>> wrote:
>>>> >
>>>> > What is the path to the login
>>>> program? What is it labeled? The
>>>> > problem is login is running with the
>>>> wrong context.
>>>> >
>>>> > It should be labeled login_exec_t
>>>> >
>>>> > grep :login_exec_t
>>>> /etc/selinux/targeted/contexts/files/file_contexts
>>>> > /bin/login --
>>>> system_u:object_r:login_exec_t:s0
>>>> > /usr/bin/login --
>>>> system_u:object_r:login_exec_t:s0
>>>> > /usr/kerberos/sbin/login\.krb5 --
>>>> > system_u:object_r:login_exec_t:s0
>>>> >
>>>> >
>>>> > init_t is supposed to transition to
>>>> local_login_t when executing the
>>>> > login program.
>>>> >
>>>> >
>>>> > On 08/18/2015 06:17 AM, Srinivasa Rao
>>>> Ragolu wrote:
>>>> >> Hi Daniel,
>>>> >>
>>>> >> Thanks for quick reply. Please find
>>>> first time boot log with
>>>> >> lableling and reboot.
>>>> >>
>>>> >> Also find second time boot log when
>>>> I created /.autorelablel.
>>>> >>
>>>> >> Somehow I could not able to login as
>>>> root.
>>>> >>
>>>> >> Your help is really appriciated.
>>>> >>
>>>> >> Thanks,
>>>> >> Srinivas.
>>>> >>
>>>> >> On Tue, Aug 18, 2015 at 6:16 PM,
>>>> Daniel J Walsh <dwalsh at redhat.com
>>>> <mailto:dwalsh at redhat.com>
>>>> >> <mailto:dwalsh at redhat.com
>>>> <mailto:dwalsh at redhat.com>>> wrote:
>>>> >>
>>>> >> Looks like you have a labeling
>>>> issue.
>>>> >>
>>>> >> touch /.autorelabel; reboot
>>>> >>
>>>> >> Should fix the issues.
>>>> >>
>>>> >>
>>>> >>
>>>> >> On 08/18/2015 04:53 AM,
>>>> Srinivasa Rao Ragolu wrote:
>>>> >>> Hi All,
>>>> >>>
>>>> >>> I have very new to selinux.
>>>> Today I have ported selinux to my
>>>> >>> embedded platform with targeted
>>>> policy+enforcing.
>>>> >>>
>>>> >>> When I try to boot, it
>>>> completes labeling filesystem. But I
>>>> >>> could not able to login using
>>>> root.. See my error log...
>>>> >>>
>>>> >>> /*arm-cortex-a15 login: root*/
>>>> >>> /*Last login: Tue Aug 18
>>>> 11:36:58 UTC 2015 on console*/
>>>> >>> /*Would you like to enter a
>>>> security context? [N] Y*/
>>>> >>> /*role: unconfined_r*/
>>>> >>> /*level: s0*/
>>>> >>> /*[ 1252.885468] type=1400
>>>> audit(1439898856.140:13): avc:
>>>> >>> denied { transition } for
>>>> pid=1120 comm="login"
>>>> >>> path="/bin/bash" dev="mmcblk0"
>>>> ino=58115
>>>> >>>
>>>> scontext=system_u:system_r:init_t:s0
>>>> >>>
>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>>> >>> tclass=process*/
>>>> >>> /*[ 1252.887219] type=1400
>>>> audit(1439898856.140:14): avc:
>>>> >>> denied { transition } for
>>>> pid=1120 comm="login"
>>>> >>> path="/bin/bash" dev="mmcblk0"
>>>> ino=58115
>>>> >>>
>>>> scontext=system_u:system_r:init_t:s0
>>>> >>>
>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>>> >>> tclass=process*/
>>>> >>> /*Cannot execute /bin/sh:
>>>> Permission denied*/
>>>> >>> /*
>>>> >>> */
>>>> >>> /*MontaVista Carrier Grade
>>>> Linux 7.0.0 arm-cortex-a15
>>>> >>> /dev/console*/
>>>> >>> /*
>>>> >>> */
>>>> >>> /*arm-cortex-a15 login:*/
>>>> >>> /*
>>>> >>> */
>>>> >>> Please help me.. How can I solve
>>>> this issue and achieve
>>>> >>> normal boot.
>>>> >>>
>>>> >>>
>>>> >>> Thanks,
>>>> >>> Srinivas.
>>>> >>>
>>>> >>>
>>>> >>> --
>>>> >>> selinux mailing list
>>>> >>> selinux at lists.fedoraproject.org
>>>> <mailto:selinux at lists.fedoraproject.org>
>>>> >>>
>>>> <mailto:selinux at lists.fedoraproject.org
>>>> <mailto:selinux at lists.fedoraproject.org>>
>>>> >>>
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> selinux mailing list
>>>> >> selinux at lists.fedoraproject.org
>>>> <mailto:selinux at lists.fedoraproject.org>
>>>> >>
>>>> <mailto:selinux at lists.fedoraproject.org
>>>> <mailto:selinux at lists.fedoraproject.org>>
>>>> >>
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > selinux mailing list
>>>> > selinux at lists.fedoraproject.org
>>>> <mailto:selinux at lists.fedoraproject.org>
>>>> >
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> >
>>>>
>>>> What does
>>>>
>>>> $ rpm -q selinux-policy-targeted
>>>>
>>>> ?
>>>>
>>>> Also could you try to reinstall the
>>>> selinux-policy-targeted to see if it
>>>> blows up?
>>>>
>>>> --
>>>> Miroslav Grepl
>>>> Senior Software Engineer, SELinux Solutions
>>>> Red Hat, Inc.
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux at lists.fedoraproject.org
>>>> <mailto:selinux at lists.fedoraproject.org>
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> <mailto:selinux at lists.fedoraproject.org>
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150825/8a31a054/attachment-0001.html>
More information about the selinux
mailing list