Hi Daniel,
Sure. Sorry for late repoly. I am sharing details now.
As I am using embedded platform, so referring yocto bitbake recipes for
building selinux layer. (ie:
)
Policy is targeted/enforcing. version is 2.3.
*root@arm-cortex-a15:~# rpm -qa | grep selinux*
*packagegroup-selinux-policycoreutils-lic-1.0-r0.cortexa15hf_vfp*
*packagegroup-core-selinux-lic-1.0-r0.cortexa15hf_vfp*
*selinux-config-lic-0.1-r4.arm_cortex_a15*
*libselinux-lic-2.3-r0.cortexa15hf_vfp*
*selinux-config-0.1-r4.arm_cortex_a15*
*libselinux-2.3-r0.cortexa15hf_vfp*
*libselinux-bin-2.3-r0.cortexa15hf_vfp*
*libselinux-python-2.3-r0.cortexa15hf_vfp*
*pam-plugin-selinux-1.1.6-r2.4.2.cortexa15hf_vfp*
*system-config-selinux-2.3-r0.cortexa15hf_vfp*
*packagegroup-selinux-policycoreutils-1.0-r0.cortexa15hf_vfp*
*packagegroup-core-selinux-1.0-r0.cortexa15hf_vfp*
I am using sysvinit. every daemon is running on its own context. Please see
attached rootfs log.
Thanks and Regards,
Srinivas.
On Fri, Aug 21, 2015 at 12:49 AM, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
On 08/19/2015 11:51 PM, Srinivasa Rao Ragolu wrote:
Hi All,
Please find the security contexts of necessary files
root@arm-cortex-a15:~# sestatus -v
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t:s0
Init context: system_u:system_r:init_t:s0
File contexts:
Controlling terminal: unconfined_u:object_r:user_tty_device_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:bin_t:s0 ->
system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 ->
system_u:object_r:shell_exec_t:s0
/sbin/init system_u:object_r:bin_t:s0 ->
system_u:object_r:init_exec_t:s0
/lib/libc.so.6 system_u:object_r:lib_t:s0 ->
system_u:object_r:lib_t:s0
Do I need to change any of the file contexts to avoid the issue of login
failure?
The problem is the login program is not transitioning from init_t to
local_login_t.
You never answered the question about what version of selinux-policy
rpm -q selinux-policy
Is this system using systemd?
Are other programs running in different context beside kernel_t and init_t?
Thanks,
Srinivas.
On Wed, Aug 19, 2015 at 6:05 PM, Srinivasa Rao Ragolu <
<sragolu@mvista.com>sragolu(a)mvista.com> wrote:
> As I could not able to login, changed /etc/selinux/config from enforcing
> to permissive. Executed above commands.
>
> On Wed, Aug 19, 2015 at 6:04 PM, Srinivasa Rao Ragolu <
> <sragolu@mvista.com>sragolu(a)mvista.com> wrote:
>
>> Hi Daniel,
>>
>> Please see the output of security contexts. Also no usr is mounted.
>>
>> root@arm-cortex-a15:~# ls -lZ /bin/login*
>> lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 17 Aug 18
>> 15:06 /bin/login -> /bin/login.shadow
>> -rwxr-xr-x. 1 root root system_u:object_r:login_exec_t:s0 31756 Aug 12
>> 07:18 /bin/login.shadow
>> root@arm-cortex-a15:~# mount
>> /dev/root on / type ext2 (rw,relatime,seclabel)
>> sysfs on /sys type sysfs (rw,relatime,seclabel)
>> selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
>> proc on /proc type proc (rw,relatime)
>> none on /dev type devtmpfs
>> (rw,relatime,seclabel,size=514956k,nr_inodes=128739,mode=755)
>> devpts on /dev/pts type devpts
>> (rw,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
>> tmpfs on /var/volatile type tmpfs (rw,relatime,seclabel)
>> tmpfs on /media/ram type tmpfs (rw,relatime,seclabel)
>>
>>
>> please guide if you find an clue from above output
>>
>> Thanks,
>> Srinivas.
>>
>>
>> On Wed, Aug 19, 2015 at 12:38 AM, Daniel J Walsh <dwalsh(a)redhat.com>
>> wrote:
>>
>>> ls -lZ /usr/bin/login*
>>>
>>> By any chance is the /usr directory mounted NOSUID?
>>>
>>>
>>> On 08/18/2015 07:58 AM, Srinivasa Rao Ragolu wrote:
>>>
>>> Hi,
>>>
>>> I am building for embedded platform. Could not able to get exact
>>> version. But can provide info about recipe in yocto.
>>>
>>>
>>>
http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-secur...
>>>
>>>
http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-secur...
>>>
>>> Any pointers please?
>>>
>>> Thanks,
>>> Srinivas.
>>>
>>> On Tue, Aug 18, 2015 at 8:17 PM, Miroslav Grepl <
<mgrepl(a)redhat.com>
>>> mgrepl(a)redhat.com> wrote:
>>>
>>>> On 08/18/2015 04:37 PM, Srinivasa Rao Ragolu wrote:
>>>> > Hi Daniel,
>>>> >
>>>> > I have checked the file_contexts file
>>>> >
>>>> > * #grep :login_exec_t contexts/files/file_contexts*
>>>> > /bin/login--system_u:object_r:login_exec_t:s0
>>>> > /bin/login\.shadow--system_u:object_r:login_exec_t:s0
>>>> > /bin/login\.tinylogin--system_u:object_r:login_exec_t:s0
>>>> > /usr/kerberos/sbin/login\.krb5--system_u:object_r:login_exec_t:s0
>>>> >
>>>> > Now If I run with permissive mode. I Could see below login programs
>>>> are
>>>> > running
>>>> > (Here I gave unconfined_r as role and s0 as range)
>>>> >
>>>> > * 1109 root 3540 S /bin/login --*
>>>> > * 1111 root 0 SW [kauditd]*
>>>> > * 1113 root 3020 S -sh*
>>>> > *
>>>> > *
>>>> > But when I run with enforcing mode I get same error
>>>> >
>>>> > /*arm-cortex-a15 login: root*/
>>>> > /*Last login: Tue Aug 18 11:36:58 UTC 2015 on console*/
>>>> > /*Would you like to enter a security context? [N] Y*/
>>>> > /*role: unconfined_r*/
>>>> > /*level: s0*/
>>>> > /*[ 1252.885468] type=1400 audit(1439898856.140:13): avc: denied
{
>>>> > transition } for pid=1120 comm="login"
path="/bin/bash"
>>>> dev="mmcblk0"
>>>> > ino=58115 scontext=system_u:system_r:init_t:s0
>>>> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
>>>> > /*[ 1252.887219] type=1400 audit(1439898856.140:14): avc: denied
{
>>>> > transition } for pid=1120 comm="login"
path="/bin/bash"
>>>> dev="mmcblk0"
>>>> > ino=58115 scontext=system_u:system_r:init_t:s0
>>>> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process*/
>>>> > /*Cannot execute /bin/sh: Permission denied*/
>>>> > /*
>>>> > */
>>>> > /*MontaVista Carrier Grade Linux 7.0.0 arm-cortex-a15
/dev/console*/
>>>> > /*
>>>> > */
>>>> > /*arm-cortex-a15 login:*/
>>>> > /*
>>>> > */
>>>> > /*
>>>> > */
>>>> > /Please guide me what is going wrong and how to resolve this
issue./
>>>> > /
>>>> > /
>>>> > /Thanks,/
>>>> > /Srinivas./
>>>> >
>>>> > On Tue, Aug 18, 2015 at 6:52 PM, Daniel J Walsh <
>>>> <dwalsh@redhat.com>dwalsh(a)redhat.com
>>>> > <mailto: <dwalsh@redhat.com>dwalsh(a)redhat.com>>
wrote:
>>>> >
>>>> > What is the path to the login program? What is it labeled?
The
>>>> > problem is login is running with the wrong context.
>>>> >
>>>> > It should be labeled login_exec_t
>>>> >
>>>> > grep :login_exec_t
>>>> /etc/selinux/targeted/contexts/files/file_contexts
>>>> > /bin/login -- system_u:object_r:login_exec_t:s0
>>>> > /usr/bin/login -- system_u:object_r:login_exec_t:s0
>>>> > /usr/kerberos/sbin/login\.krb5 --
>>>> > system_u:object_r:login_exec_t:s0
>>>> >
>>>> >
>>>> > init_t is supposed to transition to local_login_t when
executing
>>>> the
>>>> > login program.
>>>> >
>>>> >
>>>> > On 08/18/2015 06:17 AM, Srinivasa Rao Ragolu wrote:
>>>> >> Hi Daniel,
>>>> >>
>>>> >> Thanks for quick reply. Please find first time boot log
with
>>>> >> lableling and reboot.
>>>> >>
>>>> >> Also find second time boot log when I created
/.autorelablel.
>>>> >>
>>>> >> Somehow I could not able to login as root.
>>>> >>
>>>> >> Your help is really appriciated.
>>>> >>
>>>> >> Thanks,
>>>> >> Srinivas.
>>>> >>
>>>> >> On Tue, Aug 18, 2015 at 6:16 PM, Daniel J Walsh <
>>>> <dwalsh@redhat.com>dwalsh(a)redhat.com
>>>> >> <mailto:
<dwalsh@redhat.com>dwalsh(a)redhat.com>> wrote:
>>>> >>
>>>> >> Looks like you have a labeling issue.
>>>> >>
>>>> >> touch /.autorelabel; reboot
>>>> >>
>>>> >> Should fix the issues.
>>>> >>
>>>> >>
>>>> >>
>>>> >> On 08/18/2015 04:53 AM, Srinivasa Rao Ragolu wrote:
>>>> >>> Hi All,
>>>> >>>
>>>> >>> I have very new to selinux. Today I have ported
selinux to
>>>> my
>>>> >>> embedded platform with targeted policy+enforcing.
>>>> >>>
>>>> >>> When I try to boot, it completes labeling
filesystem. But I
>>>> >>> could not able to login using root.. See my error
log...
>>>> >>>
>>>> >>> /*arm-cortex-a15 login: root*/
>>>> >>> /*Last login: Tue Aug 18 11:36:58 UTC 2015 on
console*/
>>>> >>> /*Would you like to enter a security context? [N]
Y*/
>>>> >>> /*role: unconfined_r*/
>>>> >>> /*level: s0*/
>>>> >>> /*[ 1252.885468] type=1400 audit(1439898856.140:13):
avc:
>>>> >>> denied { transition } for pid=1120
comm="login"
>>>> >>> path="/bin/bash" dev="mmcblk0"
ino=58115
>>>> >>> scontext=system_u:system_r:init_t:s0
>>>> >>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>>> >>> tclass=process*/
>>>> >>> /*[ 1252.887219] type=1400 audit(1439898856.140:14):
avc:
>>>> >>> denied { transition } for pid=1120
comm="login"
>>>> >>> path="/bin/bash" dev="mmcblk0"
ino=58115
>>>> >>> scontext=system_u:system_r:init_t:s0
>>>> >>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>>>> >>> tclass=process*/
>>>> >>> /*Cannot execute /bin/sh: Permission denied*/
>>>> >>> /*
>>>> >>> */
>>>> >>> /*MontaVista Carrier Grade Linux 7.0.0
arm-cortex-a15
>>>> >>> /dev/console*/
>>>> >>> /*
>>>> >>> */
>>>> >>> /*arm-cortex-a15 login:*/
>>>> >>> /*
>>>> >>> */
>>>> >>> Please help me.. How can I solve this issue and
achieve
>>>> >>> normal boot.
>>>> >>>
>>>> >>>
>>>> >>> Thanks,
>>>> >>> Srinivas.
>>>> >>>
>>>> >>>
>>>> >>> --
>>>> >>> selinux mailing list
>>>> >>> <selinux(a)lists.fedoraproject.org>
>>>> selinux(a)lists.fedoraproject.org
>>>> >>> <mailto: <selinux(a)lists.fedoraproject.org>
>>>> selinux(a)lists.fedoraproject.org>
>>>> >>>
>>>> <
https://admin.fedoraproject.org/mailman/listinfo/selinux>
>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> selinux mailing list
>>>> >> <selinux(a)lists.fedoraproject.org>
>>>> selinux(a)lists.fedoraproject.org
>>>> >> <mailto: <selinux(a)lists.fedoraproject.org>
>>>> selinux(a)lists.fedoraproject.org>
>>>> >>
<
https://admin.fedoraproject.org/mailman/listinfo/selinux>
>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > selinux mailing list
>>>> >
<selinux@lists.fedoraproject.org>selinux(a)lists.fedoraproject.org
>>>> > <
https://admin.fedoraproject.org/mailman/listinfo/selinux>
>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> >
>>>>
>>>> What does
>>>>
>>>> $ rpm -q selinux-policy-targeted
>>>>
>>>> ?
>>>>
>>>> Also could you try to reinstall the selinux-policy-targeted to see if
>>>> it
>>>> blows up?
>>>>
>>>> --
>>>> Miroslav Grepl
>>>> Senior Software Engineer, SELinux Solutions
>>>> Red Hat, Inc.
>>>>
>>>
>>>
>>>
>>> --
>>> selinux mailing
listselinux@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>>
>>
>
--
selinux mailing
listselinux@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux