Unable to login with targeted policy, enforcing mode

Miroslav Grepl mgrepl at redhat.com
Thu Aug 27 15:00:42 UTC 2015 

On 08/25/2015 02:36 PM, Srinivasa Rao Ragolu wrote:
> Hi All,
> 
> I am new to selinux stuff and I am trying to port selinux to embedded
> platform using meta-selinux layer from yocto project
> (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/?h=dizzy)
> 
> *Problem:*
> 
> Not able to login with root user. root user is not acceptable while
> booting in enforcing mode of targeted policy.
> 
> *Observations:*
> 
> with permissive mode, was able to login and captured below details.
> Using sysvinit as init manager.
> *
> *
> *#ps*
>  714 root      4920 S    /lib/udev/udevd -d
>   825 root      4916 S    /lib/udev/udevd -d
>   826 root      4916 S    /lib/udev/udevd -d
>  1022 root      2172 S    {udhcpc} /bin/busybox /sbin/udhcpc -R -n -p
> /var/run
>  1039 messageb 11204 S    /usr/bin/dbus-daemon --system
>  1043 distcc    3124 S N  /usr/bin/distccd
> --pid-file=/var/run/distcc.pid --da
>  1044 distcc    3124 S N  /usr/bin/distccd
> --pid-file=/var/run/distcc.pid --da
>  1051 root      2172 S    {syslogd} /bin/busybox /sbin/syslogd -n -O
> /var/log/
>  1054 root      2172 S    {klogd} /bin/busybox /sbin/klogd -n
>  1057 distcc    3124 S N  /usr/bin/distccd
> --pid-file=/var/run/distcc.pid --da
>  1060 avahi     3172 S    avahi-daemon: running [arm-cortex-a15.local]
>  1061 avahi     3172 S    avahi-daemon: chroot helper
>  1072 distcc    3124 S N  /usr/bin/distccd
> --pid-file=/var/run/distcc.pid --da
>  1076 root      3544 S    /bin/login --
>  1078 root         0 SW   [kauditd]
>  1080 root      3020 S    -sh
>  1081 root      2504 R    {ps} /bin/busybox /bin/ps
> 
> *#sestatus -v*
> root at arm-cortex-a15:~# sestatus -v
> SELinux status:                 enabled
> SELinuxfs mount:                /sys/fs/selinux
> SELinux root directory:         /etc/selinux
> Loaded policy name:             targeted
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy MLS status:              enabled
> Policy deny_unknown status:     allowed
> Max kernel policy version:      28
> 
> Process contexts:
> Current context:              
>  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> Init context:                   system_u:system_r:init_t:s0
> 
> File contexts:
> Controlling terminal:           unconfined_u:object_r:user_tty_device_t:s0
> /etc/passwd                     system_u:object_r:etc_t:s0
> /etc/shadow                     system_u:object_r:shadow_t:s0
> /bin/bash                       system_u:object_r:shell_exec_t:s0
> /bin/login                      system_u:object_r:bin_t:s0 ->
> system_u:object_r:login_exec_t:s0
> /bin/sh                         system_u:object_r:bin_t:s0 ->
> system_u:object_r:shell_exec_t:s0
> /sbin/init                      system_u:object_r:bin_t:s0 ->
> system_u:object_r:init_exec_t:s0
> /lib/libc.so.6                  system_u:object_r:lib_t:s0 ->
> system_u:object_r:lib_t:s0
> 
> 
> *root at arm-cortex-a15:~# sesearch -T -t login_exec_t *
> Found 3 semantic te rules:
>    type_transition rlogind_t login_exec_t : process remote_login_t; 
>    type_transition telnetd_t login_exec_t : process remote_login_t; 
>    type_transition getty_t login_exec_t : process local_login_t; 
> 
> 
> *root at arm-cortex-a15:~# sesearch -T -t getty_exec_t *
> Found 2 semantic te rules:
>    type_transition init_t getty_exec_t : process getty_t; 
>    type_transition initrc_t getty_exec_t : process getty_t; 
> 
> 
> *root at arm-cortex-a15:~# grep getty_exec_t
> /etc/selinux/targeted/contexts/files/file-contexts*
> /sbin/.*getty--system_u:object_r:getty_exec_t:s0
> root at arm-cortex-a15:~# 
> 
> policy rules in /etc/selinux/targeted/contexts/files/file-contexts are
> 
> /bin/bash       --      system_u:object_r:shell_exec_t:s0
> /bin/login      --      system_u:object_r:login_exec_t:s0
> /bin/d?ash      --      system_u:object_r:shell_exec_t:s0
> /sbin/.*getty   --      system_u:object_r:getty_exec_t:s0
> 
> As of now I am completely struck. Please help me to resolve this issue. 
> What modifications are needed to login as root under targeted policy and
> enforcing mode?
> 
> Thanks and Regards,
> Srinivas.
> 
> 
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 


Are there AVCs in permssive mode?

Re-test and run

# ausearch -m avc,user_avc -ts recent

Also try to check /var/log/secure.


-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.

More information about the selinux mailing list