SELinux Upgrade
Hello All
After recent system upgrade (this night) i lost access to two servers through SSH, because of change in SELinux policy – i have SSH there on different port and now it’s gone.
Thanks to puppet i was able to change SSH port back to default and log in, but is this expected behavior? I thought minor upgrade shouldn’t break up things?
Or maybe “semanage port -a -t ssh_port_t -p tcp port” isn’t enough to ensure persistency?
8 thoughts on - SELinux Upgrade
It’s normally enough, there is no need to do it again, except if it lost all custom settings and booleans. Something to try on a VM (setup CentOS
7.3.1611, modify it without updating it, verify that it works, and then update it)
If problem can be reproduced, I’d say open a bug on bugs.CentOS.org
*and* upstream bugzilla.redhat.com and link the two together
I have experienced this myself. It is very upsetting.
(Sent from iPhone, so please accept my apologies in advance for any spelling or grammatical errors.)
W dniu 19.01.2017 o 10:17, Hal Wigoda pisze:
It happened on servers with docker installed. I got error message there:
# semanage port -a -t ssh_port_t -p tcp
Re-declaration of type docker_t Failed to create node Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1
OSError: Error
After uninstalling:
# yum remove docker*
Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock Rozwiązywanie zależności
–> Wykonywanie sprawdzania transakcji
—> Pakiet docker.x86_64 2:1.10.3-59.el7.CentOS zostanie usunięty
—> Pakiet docker-common.x86_64 2:1.10.3-59.el7.CentOS zostanie usunięty
—> Pakiet docker-forward-journald.x86_64 0:1.10.3-44.el7.CentOS
zostanie usunięty
—> Pakiet docker-registry.x86_64 0:0.9.1-7.el7 zostanie usunięty
—> Pakiet docker-selinux.x86_64 0:1.10.3-46.el7.CentOS.14 zostanie usunięty
–> Ukończono rozwiązywanie zależności
[…]
And then:
# semanage port -a -t ssh_port_t -p tcp
Re-declaration of type docker_t Failed to create node Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1
OSError: Error
# yum remove docker-selinux Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock Rozwiązywanie zależności
–> Wykonywanie sprawdzania transakcji
—> Pakiet container-selinux.x86_64 2:1.10.3-59.el7.CentOS zostanie usunięty
–> Ukończono rozwiązywanie zależności
[…]
# semanage port -a -t ssh_port_t -p tcp został już określony , 22
ValueError: Port tcp/
# semanage port -l | grep ssh ssh_port_t tcp
So, it looks like something with docker-selinux and container-selinux…
—
Over And Out MoonWolf
Right, I wanted to mention that docker-selinux was replaced with container-selinux in the lasest version.
W dniu 19.01.2017 o 14:54, Johnny Hughes pisze:
Shouldn’t be docker-selinux automatically removed then?
Which release? I also run SSH on an alternate port on one host, and that host didn’t break following yesterday’s updates.
Can you get the AVCs from /var/log/audit/audit.log? What is currently the content of /etc/selinux/targeted/modules/active/ports.local? Does it describe the same ports as the output of “semanage port -l -C”?
It should be. You should see that port labeled in the file above.
container-selinux should disable docker policy and then install its own.
container-selinux-1.12.5-14
Well, got hit by this too. Ironically, I don’t use docker, I think I had it installed being pulled in for something else.
So, tried the yum remove docker* but no go. When I do semanage port -a -t ssh_port_t -p tcp I get an error
Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1
which is something that doesn’t exist. Tried installing container-selinux, but so far, the only way to get SSH to work on a default port is to setenforce 0.
This isn’t a really important machine, but it is certainly annoying.