Hello All
After recent system upgrade (this night) i lost access to two servers through SSH, because of change in SELinux policy - i have ssh there on different port and now it's gone.
Thanks to puppet i was able to change SSH port back to default and log in, but is this expected behavior? I thought minor upgrade shouldn't break up things?
Or maybe "semanage port -a -t ssh_port_t -p tcp port" isn't enough to ensure persistency?
On 19/01/17 09:43, Marcin Trendota wrote:
Hello All
After recent system upgrade (this night) i lost access to two servers through SSH, because of change in SELinux policy - i have ssh there on different port and now it's gone.
Thanks to puppet i was able to change SSH port back to default and log in, but is this expected behavior? I thought minor upgrade shouldn't break up things?
Or maybe "semanage port -a -t ssh_port_t -p tcp port" isn't enough to ensure persistency?
It's normally enough, there is no need to do it again, except if it lost all custom settings and booleans. Something to try on a VM (setup CentOS 7.3.1611, modify it without updating it, verify that it works, and then update it) If problem can be reproduced, I'd say open a bug on bugs.centos.org *and* upstream bugzilla.redhat.com and link the two together
I have experienced this myself. It is very upsetting.
(Sent from iPhone, so please accept my apologies in advance for any spelling or grammatical errors.)
On Jan 19, 2017, at 2:57 AM, Fabian Arrotin arrfab@centos.org wrote:
log
W dniu 19.01.2017 o 10:17, Hal Wigoda pisze:
I have experienced this myself. It is very upsetting.
It happened on servers with docker installed. I got error message there: # semanage port -a -t ssh_port_t -p tcp <newport> Re-declaration of type docker_t Failed to create node Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1 OSError: Error
After uninstalling: # yum remove docker* Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock Rozwiązywanie zależności --> Wykonywanie sprawdzania transakcji ---> Pakiet docker.x86_64 2:1.10.3-59.el7.centos zostanie usunięty ---> Pakiet docker-common.x86_64 2:1.10.3-59.el7.centos zostanie usunięty ---> Pakiet docker-forward-journald.x86_64 0:1.10.3-44.el7.centos zostanie usunięty ---> Pakiet docker-registry.x86_64 0:0.9.1-7.el7 zostanie usunięty ---> Pakiet docker-selinux.x86_64 0:1.10.3-46.el7.centos.14 zostanie usunięty --> Ukończono rozwiązywanie zależności [...]
And then: # semanage port -a -t ssh_port_t -p tcp <newport> Re-declaration of type docker_t Failed to create node Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1 OSError: Error
# yum remove docker-selinux Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock Rozwiązywanie zależności --> Wykonywanie sprawdzania transakcji ---> Pakiet container-selinux.x86_64 2:1.10.3-59.el7.centos zostanie usunięty --> Ukończono rozwiązywanie zależności [...]
# semanage port -a -t ssh_port_t -p tcp <newport> ValueError: Port tcp/<newport> został już określony # semanage port -l | grep ssh ssh_port_t tcp <newport>, 22
So, it looks like something with docker-selinux and container-selinux...
On 01/19/2017 04:47 AM, Marcin Trendota wrote:
W dniu 19.01.2017 o 10:17, Hal Wigoda pisze:
I have experienced this myself. It is very upsetting.
It happened on servers with docker installed. I got error message there: # semanage port -a -t ssh_port_t -p tcp <newport> Re-declaration of type docker_t Failed to create node Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1 OSError: Error
After uninstalling: # yum remove docker* Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock Rozwiązywanie zależności --> Wykonywanie sprawdzania transakcji ---> Pakiet docker.x86_64 2:1.10.3-59.el7.centos zostanie usunięty ---> Pakiet docker-common.x86_64 2:1.10.3-59.el7.centos zostanie usunięty ---> Pakiet docker-forward-journald.x86_64 0:1.10.3-44.el7.centos zostanie usunięty ---> Pakiet docker-registry.x86_64 0:0.9.1-7.el7 zostanie usunięty ---> Pakiet docker-selinux.x86_64 0:1.10.3-46.el7.centos.14 zostanie usunięty --> Ukończono rozwiązywanie zależności [...]
And then: # semanage port -a -t ssh_port_t -p tcp <newport> Re-declaration of type docker_t Failed to create node Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1 OSError: Error
# yum remove docker-selinux Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock Rozwiązywanie zależności --> Wykonywanie sprawdzania transakcji ---> Pakiet container-selinux.x86_64 2:1.10.3-59.el7.centos zostanie usunięty --> Ukończono rozwiązywanie zależności [...]
# semanage port -a -t ssh_port_t -p tcp <newport> ValueError: Port tcp/<newport> został już określony # semanage port -l | grep ssh ssh_port_t tcp <newport>, 22
So, it looks like something with docker-selinux and container-selinux...
Right, I wanted to mention that docker-selinux was replaced with container-selinux in the lasest version.
W dniu 19.01.2017 o 14:54, Johnny Hughes pisze:
So, it looks like something with docker-selinux and container-selinux...
Right, I wanted to mention that docker-selinux was replaced with container-selinux in the lasest version.
Shouldn't be docker-selinux automatically removed then?
On 01/19/2017 08:57 AM, Marcin Trendota wrote:
W dniu 19.01.2017 o 14:54, Johnny Hughes pisze:
So, it looks like something with docker-selinux and container-selinux...
Right, I wanted to mention that docker-selinux was replaced with container-selinux in the lasest version.
Shouldn't be docker-selinux automatically removed then?
container-selinux should disable docker policy and then install its own.
container-selinux-1.12.5-14
On 01/19/2017 12:43 AM, Marcin Trendota wrote:
After recent system upgrade (this night) i lost access to two servers through SSH, because of change in SELinux policy - i have ssh there on different port and now it's gone.
Which release? I also run ssh on an alternate port on one host, and that host didn't break following yesterday's updates.
Can you get the AVCs from /var/log/audit/audit.log? What is currently the content of /etc/selinux/targeted/modules/active/ports.local? Does it describe the same ports as the output of "semanage port -l -C"?
Or maybe "semanage port -a -t ssh_port_t -p tcp port" isn't enough to ensure persistency?
It should be. You should see that port labeled in the file above.
-
Daniel J Walsh -
Fabian Arrotin -
Gordon Messmer -
Hal Wigoda -
Johnny Hughes -
Marcin Trendota