On 08/25/2015 02:36 PM, Srinivasa Rao Ragolu wrote:
Hi All,
I am new to selinux stuff and I am trying to port selinux to embedded platform using meta-selinux layer from yocto project (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/?h=dizzy)
*Problem:*
Not able to login with root user. root user is not acceptable while booting in enforcing mode of targeted policy.
*Observations:*
with permissive mode, was able to login and captured below details. Using sysvinit as init manager.
*#ps* 714 root 4920 S /lib/udev/udevd -d 825 root 4916 S /lib/udev/udevd -d 826 root 4916 S /lib/udev/udevd -d 1022 root 2172 S {udhcpc} /bin/busybox /sbin/udhcpc -R -n -p /var/run 1039 messageb 11204 S /usr/bin/dbus-daemon --system 1043 distcc 3124 S N /usr/bin/distccd --pid-file=/var/run/distcc.pid --da 1044 distcc 3124 S N /usr/bin/distccd --pid-file=/var/run/distcc.pid --da 1051 root 2172 S {syslogd} /bin/busybox /sbin/syslogd -n -O /var/log/ 1054 root 2172 S {klogd} /bin/busybox /sbin/klogd -n 1057 distcc 3124 S N /usr/bin/distccd --pid-file=/var/run/distcc.pid --da 1060 avahi 3172 S avahi-daemon: running [arm-cortex-a15.local] 1061 avahi 3172 S avahi-daemon: chroot helper 1072 distcc 3124 S N /usr/bin/distccd --pid-file=/var/run/distcc.pid --da 1076 root 3544 S /bin/login -- 1078 root 0 SW [kauditd] 1080 root 3020 S -sh 1081 root 2504 R {ps} /bin/busybox /bin/ps
*#sestatus -v* root@arm-cortex-a15:~# sestatus -v SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
Process contexts: Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Init context: system_u:system_r:init_t:s0
File contexts: Controlling terminal: unconfined_u:object_r:user_tty_device_t:s0 /etc/passwd system_u:object_r:etc_t:s0 /etc/shadow system_u:object_r:shadow_t:s0 /bin/bash system_u:object_r:shell_exec_t:s0 /bin/login system_u:object_r:bin_t:s0 -> system_u:object_r:login_exec_t:s0 /bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0 /sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0 /lib/libc.so.6 system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0
*root@arm-cortex-a15:~# sesearch -T -t login_exec_t * Found 3 semantic te rules: type_transition rlogind_t login_exec_t : process remote_login_t; type_transition telnetd_t login_exec_t : process remote_login_t; type_transition getty_t login_exec_t : process local_login_t;
*root@arm-cortex-a15:~# sesearch -T -t getty_exec_t * Found 2 semantic te rules: type_transition init_t getty_exec_t : process getty_t; type_transition initrc_t getty_exec_t : process getty_t;
*root@arm-cortex-a15:~# grep getty_exec_t /etc/selinux/targeted/contexts/files/file-contexts* /sbin/.*getty--system_u:object_r:getty_exec_t:s0 root@arm-cortex-a15:~#
policy rules in /etc/selinux/targeted/contexts/files/file-contexts are
/bin/bash -- system_u:object_r:shell_exec_t:s0 /bin/login -- system_u:object_r:login_exec_t:s0 /bin/d?ash -- system_u:object_r:shell_exec_t:s0 /sbin/.*getty -- system_u:object_r:getty_exec_t:s0
As of now I am completely struck. Please help me to resolve this issue. What modifications are needed to login as root under targeted policy and enforcing mode?
Thanks and Regards, Srinivas.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Are there AVCs in permssive mode?
Re-test and run
# ausearch -m avc,user_avc -ts recent
Also try to check /var/log/secure.