SELinux Upgrade

Home » CentOS » SELinux Upgrade
CentOS 8 Comments

Hello All

After recent system upgrade (this night) i lost access to two servers through SSH, because of change in SELinux policy – i have SSH there on different port and now it’s gone.

Thanks to puppet i was able to change SSH port back to default and log in, but is this expected behavior? I thought minor upgrade shouldn’t break up things?

Or maybe “semanage port -a -t ssh_port_t -p tcp port” isn’t enough to ensure persistency?

8 thoughts on - SELinux Upgrade

  • It’s normally enough, there is no need to do it again, except if it lost all custom settings and booleans. Something to try on a VM (setup CentOS
    7.3.1611, modify it without updating it, verify that it works, and then update it)
    If problem can be reproduced, I’d say open a bug on bugs.CentOS.org
    *and* upstream bugzilla.redhat.com and link the two together

  • I have experienced this myself. It is very upsetting.

    (Sent from iPhone, so please accept my apologies in advance for any spelling or grammatical errors.)

  • W dniu 19.01.2017 o 10:17, Hal Wigoda pisze:

    It happened on servers with docker installed. I got error message there:
    # semanage port -a -t ssh_port_t -p tcp
    Re-declaration of type docker_t Failed to create node Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1
    OSError: Error

    After uninstalling:
    # yum remove docker*
    Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock Rozwiązywanie zależności
    –> Wykonywanie sprawdzania transakcji
    —> Pakiet docker.x86_64 2:1.10.3-59.el7.CentOS zostanie usunięty
    —> Pakiet docker-common.x86_64 2:1.10.3-59.el7.CentOS zostanie usunięty
    —> Pakiet docker-forward-journald.x86_64 0:1.10.3-44.el7.CentOS
    zostanie usunięty
    —> Pakiet docker-registry.x86_64 0:0.9.1-7.el7 zostanie usunięty
    —> Pakiet docker-selinux.x86_64 0:1.10.3-46.el7.CentOS.14 zostanie usunięty
    –> Ukończono rozwiązywanie zależności
    […]

    And then:
    # semanage port -a -t ssh_port_t -p tcp
    Re-declaration of type docker_t Failed to create node Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1
    OSError: Error

    # yum remove docker-selinux Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock Rozwiązywanie zależności
    –> Wykonywanie sprawdzania transakcji
    —> Pakiet container-selinux.x86_64 2:1.10.3-59.el7.CentOS zostanie usunięty
    –> Ukończono rozwiązywanie zależności
    […]

    # semanage port -a -t ssh_port_t -p tcp
    ValueError: Port tcp/
    został już określony
    # semanage port -l | grep ssh ssh_port_t tcp
    , 22

    So, it looks like something with docker-selinux and container-selinux…


    Over And Out MoonWolf

  • Which release? I also run SSH on an alternate port on one host, and that host didn’t break following yesterday’s updates.

    Can you get the AVCs from /var/log/audit/audit.log? What is currently the content of /etc/selinux/targeted/modules/active/ports.local? Does it describe the same ports as the output of “semanage port -l -C”?

    It should be. You should see that port labeled in the file above.

  • Well, got hit by this too. Ironically, I don’t use docker, I think I had it installed being pulled in for something else.

    So, tried the yum remove docker* but no go. When I do semanage port -a -t ssh_port_t -p tcp I get an error

    Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1

    which is something that doesn’t exist. Tried installing container-selinux, but so far, the only way to get SSH to work on a default port is to setenforce 0.

    This isn’t a really important machine, but it is certainly annoying.

LEAVE A COMMENT