1.a. Begin Here
You must be in sysadm_r to perform these actions.
Run sestatus -v. Click the first context that doesn't match:
| Process | Context |
| Init context | system_u:system_r:init_t |
| /sbin/agetty | system_u:system_r:getty_t |
| File | Context |
| /bin/login | system_u:object_r:login_exec_t |
| /sbin/unix_chkpwd | system_u:object_r:chkpwd_exec_t |
| /etc/passwd | system_u:object_r:etc_t |
| /etc/shadow | system_u:object_r:shadow_t |
| /bin/bash | system_u:object_r:shell_exec_t |
1.b. Incorrect Init Context
Verify Init Label
There are several possible reasons why init may have the wrong context. First, verify that init is labeled correctly, refer to the sestatus's output for /sbin/init. If it is not system_u:object_r:init_exec_t, relabel sysvinit.
Code Listing 1: Fix init context |
# rlpkg sysvinit
|
Verify Available Policy (2006.1+)
You must be in sysadm_r to perform this action.
A binary policy must be available in /etc/selinux/{strict,targeted}/policy. If it is missing, then install the policy.
Code Listing 2: Install binary policy |
# semodule -n -B
|
Verify Available Policy (pre 2006.1)
An appropriate binary policy version must also be available in /etc/security/selinux. For example, for policy version 17, /etc/security/selinux/policy.17 must exist. If it is missing, first adjust the policy (Makefile). Then compile and install the policy.
Code Listing 3: Install binary policy |
# cd /etc/security/selinux/src/policy # make clean # make install |
Verify Init Can Load the Policy
The final check is to ensure init can load the policy. Run ldd on init, and if libselinux is not in the output, remerge sysvinit.
Code Listing 4: Check init linking |
# ldd /sbin/init linux-gate.so.1 => (0xffffe000) libselinux.so.1 => /lib/libselinux.so.1 (0x40025000) libc.so.6 => /lib/libc.so.6 (0x40035000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) |
Now reboot so init gains the correct context, and loads the policy.
1.c. Incorrect agetty Context
Verify that agetty is labeled correctly. Refer to the sestatus's output for /sbin/agetty. If it is not system_u:object_r:getty_exec_t, relabel util-linux. Then restart all gettys.
Code Listing 5: Fix agetty context |
# rlpkg util-linux # killall agetty (they will respawn) |
All of the agettys should now be in the correct system_u:object_r:getty_exec_t context. Try logging in again.
1.d. Incorrect Login Context
The login program (/bin/login) is not labeled correctly. Relabel shadow.
Code Listing 6: Relabel shadow |
# rlpkg shadow
|
/bin/login should now be system_u:object_r:login_exec_t. Try logging in again.
1.e. Incorrect PAM Context
Sshd must be able to use PAM for authenticating the user. The PAM password checking program (/sbin/unix_chkpwd) must be labeled correctly so sshd can transition to the password checking context. Relabel PAM.
Code Listing 7: Fix unix_chkpwd context |
# rlpkg pam
|
The password checking program should now be system_u:object_r:chkpwd_exec_t. Try loggin in again.
1.f. Incorrect Password File Contexts
The password file (/etc/passwd), and the shadow file (/etc/shadow) must be labeled correctly, otherwise PAM will not be able to authenticate your user. Relabel the files.
Code Listing 8: Fix shadow context |
# restorecon /etc/passwd /etc/shadow
|
The password and shadow files should now be system_u:object_r:etc_t and system_u:object_r:shadow_t, respectively. Try logging in again.
1.g. Incorrect Bash File Context
Bash must be labeled correctly so the user can transition into the user domain when logging in. Relabel bash.
Code Listing 9: Fix bash context |
# rlpkg bash
|
Bash (/bin/bash) should now be system_u:object_r:shell_exec_t. Try logging in again.