login role transition failing on mls livecd

Joe Nall joe at nall.com
Fri Feb 23 19:50:54 UTC 2007 

I've been working on a fedora livecd that runs the mls policy. When I  
login as root via ssh

[root at livecd ~]# id -Z
root:staff_r:staff_t:SystemLow-SystemHigh

but if I login via the console

[root at livecd ~]# id -Z
system_u:system_r:local_login_t:SystemLow-SystemHigh

I'm not transitioning into the correct role/type on a console login.  
Any pointers on where to look/what I forgot to create would be  
appreciated.

joe

ls -Z `tty`
crw--w----  root tty system_u:object_r:tty_device_t:SystemLow /dev/tty4

Audit from a login local login:

type=USER_AUTH msg=audit(1172236367.222:134): user pid=2395 uid=0  
auid=4294967295 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023  
msg='PAM: authentication acct=root : exe="/bin/login" (hostname=?,  
addr=?, terminal=tty1 res=success)'
type=USER_ACCT msg=audit(1172236367.222:135): user pid=2395 uid=0  
auid=4294967295 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023  
msg='PAM: accounting acct=root : exe="/bin/login" (hostname=?,  
addr=?, terminal=tty1 res=success)'
type=LOGIN msg=audit(1172236367.228:136): login pid=2395 uid=0 old  
auid=4294967295 new auid=0
type=USER_ROLE_CHANGE msg=audit(1172236367.246:137): user pid=2395  
uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023  
msg='pam: default-context=root:sysadm_r:sysadm_t:s0-s15:c0.c1023  
selected-context=?: exe="/bin/login" (hostname=?, addr=?,  
terminal=tty1 res=success)'
type=USER_START msg=audit(1172236367.246:138): user pid=2395 uid=0  
auid=0 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 msg='PAM:  
session open acct=root : exe="/bin/login" (hostname=?, addr=?,  
terminal=tty1 res=success)'
type=USER_LOGIN msg=audit(1172236367.248:140): user pid=2395 uid=0  
auid=0 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023  
msg='uid=0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1  
res=success)'type=AVC msg=audit(1172236367.248:141): avc:  denied   
{ execute_no_trans } for  pid=2401 comm="login" name="bash" dev=dm-0  
ino=32771 scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:shell_exec_t:s0 tclass=filetype=SYSCALL  
msg=audit(1172236367.248:141): arch=40000003 syscall=11 success=yes  
exit=0 a0=91d56d0 a1=bfde41c0 a2=91d7978 a3=804d2e8 items=0 ppid=2395  
pid=2401 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0  
fsgid=0 tty=tty1 comm="bash" exe="/bin/bash"  
subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 key=(null) 
type=AVC_PATH msg=audit(1172236367.248:141):  path="/bin/bash"
type=AVC msg=audit(1172236367.301:142): avc:  denied  { execute }  
for  pid=2411 comm="bash" name="hostname" dev=dm-0 ino=32832  
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
type=AVC msg=audit(1172236367.301:142): avc:  denied   
{ execute_no_trans } for  pid=2411 comm="bash" name="hostname"  
dev=dm-0 ino=32832 scontext=system_u:system_r:local_login_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file

sestatus -v

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        mls

Process contexts:
Current context:                 
system_u:system_r:local_login_t:SystemLow-SystemHigh
Init context:                   system_u:system_r:init_t:SystemLow- 
SystemHigh
/sbin/mingetty                  system_u:system_r:getty_t:SystemLow- 
SystemHigh
/usr/sbin/sshd                  system_u:system_r:sshd_t:SystemLow- 
SystemHigh

File contexts:
Controlling term:               system_u:object_r:tty_device_t:SystemLow
/etc/passwd                     system_u:object_r:etc_t:SystemLow
/etc/shadow                     system_u:object_r:shadow_t:SystemLow
/bin/bash                       system_u:object_r:shell_exec_t:SystemLow
/bin/login                      system_u:object_r:login_exec_t:SystemLow
/bin/sh                         system_u:object_r:bin_t:SystemLow ->  
system_u:object_r:shell_exec_t:SystemLow
/sbin/agetty                    system_u:object_r:getty_exec_t:SystemLow
/sbin/init                      system_u:object_r:init_exec_t:SystemLow
/sbin/mingetty                  system_u:object_r:getty_exec_t:SystemLow
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t:SystemLow
/lib/libc.so.6                  system_u:object_r:lib_t:SystemLow ->  
system_u:object_r:shlib_t:SystemLow
/lib/ld-linux.so.2              system_u:object_r:lib_t:SystemLow ->  
system_u:object_r:ld_so_t:SystemLow

More information about the fedora-selinux-list mailing list