Unable to login with targeted policy, enforcing mode
Srinivasa Rao Ragolu
sragolu at mvista.com
Tue Aug 25 12:36:09 UTC 2015
Hi All,
I am new to selinux stuff and I am trying to port selinux to embedded
platform using meta-selinux layer from yocto project (
http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/?h=dizzy)
*Problem:*
Not able to login with root user. root user is not acceptable while booting
in enforcing mode of targeted policy.
*Observations:*
with permissive mode, was able to login and captured below details. Using
sysvinit as init manager.
*#ps*
714 root 4920 S /lib/udev/udevd -d
825 root 4916 S /lib/udev/udevd -d
826 root 4916 S /lib/udev/udevd -d
1022 root 2172 S {udhcpc} /bin/busybox /sbin/udhcpc -R -n -p
/var/run
1039 messageb 11204 S /usr/bin/dbus-daemon --system
1043 distcc 3124 S N /usr/bin/distccd --pid-file=/var/run/distcc.pid
--da
1044 distcc 3124 S N /usr/bin/distccd --pid-file=/var/run/distcc.pid
--da
1051 root 2172 S {syslogd} /bin/busybox /sbin/syslogd -n -O
/var/log/
1054 root 2172 S {klogd} /bin/busybox /sbin/klogd -n
1057 distcc 3124 S N /usr/bin/distccd --pid-file=/var/run/distcc.pid
--da
1060 avahi 3172 S avahi-daemon: running [arm-cortex-a15.local]
1061 avahi 3172 S avahi-daemon: chroot helper
1072 distcc 3124 S N /usr/bin/distccd --pid-file=/var/run/distcc.pid
--da
1076 root 3544 S /bin/login --
1078 root 0 SW [kauditd]
1080 root 3020 S -sh
1081 root 2504 R {ps} /bin/busybox /bin/ps
*#sestatus -v*
root at arm-cortex-a15:~# sestatus -v
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
Process contexts:
Current context:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
File contexts:
Controlling terminal: unconfined_u:object_r:user_tty_device_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:bin_t:s0 ->
system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/sbin/init system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0
/lib/libc.so.6 system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0
*root at arm-cortex-a15:~# sesearch -T -t login_exec_t *
Found 3 semantic te rules:
type_transition rlogind_t login_exec_t : process remote_login_t;
type_transition telnetd_t login_exec_t : process remote_login_t;
type_transition getty_t login_exec_t : process local_login_t;
*root at arm-cortex-a15:~# sesearch -T -t getty_exec_t *
Found 2 semantic te rules:
type_transition init_t getty_exec_t : process getty_t;
type_transition initrc_t getty_exec_t : process getty_t;
*root at arm-cortex-a15:~# grep getty_exec_t
/etc/selinux/targeted/contexts/files/file-contexts*
/sbin/.*getty -- system_u:object_r:getty_exec_t:s0
root at arm-cortex-a15:~#
policy rules in /etc/selinux/targeted/contexts/files/file-contexts are
/bin/bash -- system_u:object_r:shell_exec_t:s0
/bin/login -- system_u:object_r:login_exec_t:s0
/bin/d?ash -- system_u:object_r:shell_exec_t:s0
/sbin/.*getty -- system_u:object_r:getty_exec_t:s0
As of now I am completely struck. Please help me to resolve this issue.
What modifications are needed to login as root under targeted policy and
enforcing mode?
Thanks and Regards,
Srinivas.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150825/ca5fea50/attachment.html>
More information about the selinux
mailing list