Hello All After recent system upgrade (this night) i lost access to two servers through SSH, because of change in SELinux policy - i have ssh there on different port and now it's gone. Thanks to puppet i was able to change SSH port back to default and log in, but is this expected behavior? I thought minor upgrade shouldn't break up things? Or maybe "semanage port -a -t ssh_port_t -p tcp port" isn't enough to ensure persistency? -- Over And Out MoonWolf
On 19/01/17 09:43, Marcin Trendota wrote:> Hello All > > After recent system upgrade (this night) i lost access to two servers > through SSH, because of change in SELinux policy - i have ssh there on > different port and now it's gone. > > Thanks to puppet i was able to change SSH port back to default and log > in, but is this expected behavior? I thought minor upgrade shouldn't > break up things? > > Or maybe "semanage port -a -t ssh_port_t -p tcp port" isn't enough to > ensure persistency? >It's normally enough, there is no need to do it again, except if it lost all custom settings and booleans. Something to try on a VM (setup CentOS 7.3.1611, modify it without updating it, verify that it works, and then update it) If problem can be reproduced, I'd say open a bug on bugs.centos.org *and* upstream bugzilla.redhat.com and link the two together -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20170119/d3629a02/attachment-0001.sig>
I have experienced this myself. It is very upsetting. (Sent from iPhone, so please accept my apologies in advance for any spelling or grammatical errors.)> On Jan 19, 2017, at 2:57 AM, Fabian Arrotin <arrfab at centos.org> wrote: > > log
On 01/19/2017 12:43 AM, Marcin Trendota wrote:> After recent system upgrade (this night) i lost access to two servers > through SSH, because of change in SELinux policy - i have ssh there on > different port and now it's gone.Which release? I also run ssh on an alternate port on one host, and that host didn't break following yesterday's updates. Can you get the AVCs from /var/log/audit/audit.log? What is currently the content of /etc/selinux/targeted/modules/active/ports.local? Does it describe the same ports as the output of "semanage port -l -C"?> Or maybe "semanage port -a -t ssh_port_t -p tcp port" isn't enough to > ensure persistency?It should be. You should see that port labeled in the file above.