subject:"Re\: \[CentOS\] SELinux upgrade"

Re: [CentOS] SELinux upgrade

2017-01-19 Thread Daniel J Walsh



On 01/19/2017 08:57 AM, Marcin Trendota wrote:
> W dniu 19.01.2017 o 14:54, Johnny Hughes pisze:
>
>>> So, it looks like something with docker-selinux and container-selinux...
>> Right, I wanted to mention that docker-selinux was replaced with
>> container-selinux in the lasest version.
> Shouldn't be docker-selinux automatically removed then?
>
container-selinux should disable docker policy and then install its own.

container-selinux-1.12.5-14
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux upgrade

2017-01-19 Thread Gordon Messmer


On 01/19/2017 12:43 AM, Marcin Trendota wrote:

After recent system upgrade (this night) i lost access to two servers
through SSH, because of change in SELinux policy - i have ssh there on
different port and now it's gone.


Which release?  I also run ssh on an alternate port on one host, and 
that host didn't break following yesterday's updates.


Can you get the AVCs from /var/log/audit/audit.log?  What is currently 
the content of /etc/selinux/targeted/modules/active/ports.local?  Does 
it describe the same ports as the output of "semanage port -l -C"?



Or maybe "semanage port -a -t ssh_port_t -p tcp port" isn't enough to
ensure persistency?



It should be.  You should see that port labeled in the file above.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux upgrade

2017-01-19 Thread Marcin Trendota

W dniu 19.01.2017 o 14:54, Johnny Hughes pisze:

>> So, it looks like something with docker-selinux and container-selinux...
> Right, I wanted to mention that docker-selinux was replaced with
> container-selinux in the lasest version.

Shouldn't be docker-selinux automatically removed then?

-- 
Over And Out
MoonWolf
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux upgrade

2017-01-19 Thread Johnny Hughes

On 01/19/2017 04:47 AM, Marcin Trendota wrote:
> W dniu 19.01.2017 o 10:17, Hal Wigoda pisze:
>> I have experienced this myself.   It is very upsetting.  
> 
> 
> It happened on servers with docker installed. I got error message there:
> # semanage port -a -t ssh_port_t -p tcp 
> Re-declaration of type docker_t
> Failed to create node
> Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1
> OSError: Error
> 
> After uninstalling:
> # yum remove docker*
> Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock
> Rozwiązywanie zależności
> --> Wykonywanie sprawdzania transakcji
> ---> Pakiet docker.x86_64 2:1.10.3-59.el7.centos zostanie usunięty
> ---> Pakiet docker-common.x86_64 2:1.10.3-59.el7.centos zostanie usunięty
> ---> Pakiet docker-forward-journald.x86_64 0:1.10.3-44.el7.centos
> zostanie usunięty
> ---> Pakiet docker-registry.x86_64 0:0.9.1-7.el7 zostanie usunięty
> ---> Pakiet docker-selinux.x86_64 0:1.10.3-46.el7.centos.14 zostanie
> usunięty
> --> Ukończono rozwiązywanie zależności
> [...]
> 
> And then:
> # semanage port -a -t ssh_port_t -p tcp 
> Re-declaration of type docker_t
> Failed to create node
> Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1
> OSError: Error
> 
> 
> # yum remove docker-selinux
> Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock
> Rozwiązywanie zależności
> --> Wykonywanie sprawdzania transakcji
> ---> Pakiet container-selinux.x86_64 2:1.10.3-59.el7.centos zostanie
> usunięty
> --> Ukończono rozwiązywanie zależności
> [...]
> 
> # semanage port -a -t ssh_port_t -p tcp 
> ValueError: Port tcp/ został już określony
> # semanage port -l | grep ssh
> ssh_port_t tcp  , 22
> 
> 
> So, it looks like something with docker-selinux and container-selinux...
> 

Right, I wanted to mention that docker-selinux was replaced with
container-selinux in the lasest version.



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux upgrade

2017-01-19 Thread Marcin Trendota

W dniu 19.01.2017 o 10:17, Hal Wigoda pisze:
> I have experienced this myself.   It is very upsetting.  


It happened on servers with docker installed. I got error message there:
# semanage port -a -t ssh_port_t -p tcp 
Re-declaration of type docker_t
Failed to create node
Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1
OSError: Error

After uninstalling:
# yum remove docker*
Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock
Rozwiązywanie zależności
--> Wykonywanie sprawdzania transakcji
---> Pakiet docker.x86_64 2:1.10.3-59.el7.centos zostanie usunięty
---> Pakiet docker-common.x86_64 2:1.10.3-59.el7.centos zostanie usunięty
---> Pakiet docker-forward-journald.x86_64 0:1.10.3-44.el7.centos
zostanie usunięty
---> Pakiet docker-registry.x86_64 0:0.9.1-7.el7 zostanie usunięty
---> Pakiet docker-selinux.x86_64 0:1.10.3-46.el7.centos.14 zostanie
usunięty
--> Ukończono rozwiązywanie zależności
[...]

And then:
# semanage port -a -t ssh_port_t -p tcp 
Re-declaration of type docker_t
Failed to create node
Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1
OSError: Error


# yum remove docker-selinux
Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock
Rozwiązywanie zależności
--> Wykonywanie sprawdzania transakcji
---> Pakiet container-selinux.x86_64 2:1.10.3-59.el7.centos zostanie
usunięty
--> Ukończono rozwiązywanie zależności
[...]

# semanage port -a -t ssh_port_t -p tcp 
ValueError: Port tcp/ został już określony
# semanage port -l | grep ssh
ssh_port_t tcp  , 22


So, it looks like something with docker-selinux and container-selinux...

-- 
Over And Out
MoonWolf
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux upgrade

2017-01-19 Thread Hal Wigoda

I have experienced this myself.   It is very upsetting.  

(Sent from iPhone, so please accept my apologies in advance for any spelling or 
grammatical errors.)

> On Jan 19, 2017, at 2:57 AM, Fabian Arrotin  wrote:
> 
> log
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux upgrade

2017-01-19 Thread Fabian Arrotin

On 19/01/17 09:43, Marcin Trendota wrote:
> Hello All
> 
> After recent system upgrade (this night) i lost access to two servers
> through SSH, because of change in SELinux policy - i have ssh there on
> different port and now it's gone.
> 
> Thanks to puppet i was able to change SSH port back to default and log
> in, but is this expected behavior? I thought minor upgrade shouldn't
> break up things?
> 
> Or maybe "semanage port -a -t ssh_port_t -p tcp port" isn't enough to
> ensure persistency?
> 

It's normally enough, there is no need to do it again, except if it lost
all custom settings and booleans. Something to try on a VM (setup CentOS
7.3.1611, modify it without updating it, verify that it works, and then
update it)
If problem can be reproduced, I'd say open a bug on bugs.centos.org
*and* upstream bugzilla.redhat.com and link the two together

-- 
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab

signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux upgrade

Re: [CentOS] SELinux upgrade

Re: [CentOS] SELinux upgrade

Re: [CentOS] SELinux upgrade

Re: [CentOS] SELinux upgrade

Re: [CentOS] SELinux upgrade

Re: [CentOS] SELinux upgrade

7 matches

Site Navigation

Mail list logo

Footer information