Re: [CentOS] SELinux upgrade
On 01/19/2017 08:57 AM, Marcin Trendota wrote: > W dniu 19.01.2017 o 14:54, Johnny Hughes pisze: > >>> So, it looks like something with docker-selinux and container-selinux... >> Right, I wanted to mention that docker-selinux was replaced with >> container-selinux in the lasest version. > Shouldn't be docker-selinux automatically removed then? > container-selinux should disable docker policy and then install its own. container-selinux-1.12.5-14 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux upgrade
On 01/19/2017 12:43 AM, Marcin Trendota wrote: After recent system upgrade (this night) i lost access to two servers through SSH, because of change in SELinux policy - i have ssh there on different port and now it's gone. Which release? I also run ssh on an alternate port on one host, and that host didn't break following yesterday's updates. Can you get the AVCs from /var/log/audit/audit.log? What is currently the content of /etc/selinux/targeted/modules/active/ports.local? Does it describe the same ports as the output of "semanage port -l -C"? Or maybe "semanage port -a -t ssh_port_t -p tcp port" isn't enough to ensure persistency? It should be. You should see that port labeled in the file above. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux upgrade
W dniu 19.01.2017 o 14:54, Johnny Hughes pisze: >> So, it looks like something with docker-selinux and container-selinux... > Right, I wanted to mention that docker-selinux was replaced with > container-selinux in the lasest version. Shouldn't be docker-selinux automatically removed then? -- Over And Out MoonWolf ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux upgrade
On 01/19/2017 04:47 AM, Marcin Trendota wrote: > W dniu 19.01.2017 o 10:17, Hal Wigoda pisze: >> I have experienced this myself. It is very upsetting. > > > It happened on servers with docker installed. I got error message there: > # semanage port -a -t ssh_port_t -p tcp > Re-declaration of type docker_t > Failed to create node > Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1 > OSError: Error > > After uninstalling: > # yum remove docker* > Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock > Rozwiązywanie zależności > --> Wykonywanie sprawdzania transakcji > ---> Pakiet docker.x86_64 2:1.10.3-59.el7.centos zostanie usunięty > ---> Pakiet docker-common.x86_64 2:1.10.3-59.el7.centos zostanie usunięty > ---> Pakiet docker-forward-journald.x86_64 0:1.10.3-44.el7.centos > zostanie usunięty > ---> Pakiet docker-registry.x86_64 0:0.9.1-7.el7 zostanie usunięty > ---> Pakiet docker-selinux.x86_64 0:1.10.3-46.el7.centos.14 zostanie > usunięty > --> Ukończono rozwiązywanie zależności > [...] > > And then: > # semanage port -a -t ssh_port_t -p tcp > Re-declaration of type docker_t > Failed to create node > Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1 > OSError: Error > > > # yum remove docker-selinux > Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock > Rozwiązywanie zależności > --> Wykonywanie sprawdzania transakcji > ---> Pakiet container-selinux.x86_64 2:1.10.3-59.el7.centos zostanie > usunięty > --> Ukończono rozwiązywanie zależności > [...] > > # semanage port -a -t ssh_port_t -p tcp > ValueError: Port tcp/ został już określony > # semanage port -l | grep ssh > ssh_port_t tcp , 22 > > > So, it looks like something with docker-selinux and container-selinux... > Right, I wanted to mention that docker-selinux was replaced with container-selinux in the lasest version. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux upgrade
W dniu 19.01.2017 o 10:17, Hal Wigoda pisze: > I have experienced this myself. It is very upsetting. It happened on servers with docker installed. I got error message there: # semanage port -a -t ssh_port_t -p tcp Re-declaration of type docker_t Failed to create node Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1 OSError: Error After uninstalling: # yum remove docker* Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock Rozwiązywanie zależności --> Wykonywanie sprawdzania transakcji ---> Pakiet docker.x86_64 2:1.10.3-59.el7.centos zostanie usunięty ---> Pakiet docker-common.x86_64 2:1.10.3-59.el7.centos zostanie usunięty ---> Pakiet docker-forward-journald.x86_64 0:1.10.3-44.el7.centos zostanie usunięty ---> Pakiet docker-registry.x86_64 0:0.9.1-7.el7 zostanie usunięty ---> Pakiet docker-selinux.x86_64 0:1.10.3-46.el7.centos.14 zostanie usunięty --> Ukończono rozwiązywanie zależności [...] And then: # semanage port -a -t ssh_port_t -p tcp Re-declaration of type docker_t Failed to create node Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1 OSError: Error # yum remove docker-selinux Wczytane wtyczki: fastestmirror, langpacks, priorities, versionlock Rozwiązywanie zależności --> Wykonywanie sprawdzania transakcji ---> Pakiet container-selinux.x86_64 2:1.10.3-59.el7.centos zostanie usunięty --> Ukończono rozwiązywanie zależności [...] # semanage port -a -t ssh_port_t -p tcp ValueError: Port tcp/ został już określony # semanage port -l | grep ssh ssh_port_t tcp , 22 So, it looks like something with docker-selinux and container-selinux... -- Over And Out MoonWolf ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux upgrade
I have experienced this myself. It is very upsetting. (Sent from iPhone, so please accept my apologies in advance for any spelling or grammatical errors.) > On Jan 19, 2017, at 2:57 AM, Fabian Arrotinwrote: > > log ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux upgrade
On 19/01/17 09:43, Marcin Trendota wrote: > Hello All > > After recent system upgrade (this night) i lost access to two servers > through SSH, because of change in SELinux policy - i have ssh there on > different port and now it's gone. > > Thanks to puppet i was able to change SSH port back to default and log > in, but is this expected behavior? I thought minor upgrade shouldn't > break up things? > > Or maybe "semanage port -a -t ssh_port_t -p tcp port" isn't enough to > ensure persistency? > It's normally enough, there is no need to do it again, except if it lost all custom settings and booleans. Something to try on a VM (setup CentOS 7.3.1611, modify it without updating it, verify that it works, and then update it) If problem can be reproduced, I'd say open a bug on bugs.centos.org *and* upstream bugzilla.redhat.com and link the two together -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos