'setsebool -P' works but throws errors; changes not permanent

Support for security such as Firewalls and securing linux
neutronsnowball
Posts: 15
Joined: 2016/10/27 18:09:29

'setsebool -P' works but throws errors; changes not permanent

Post by neutronsnowball » 2018/06/14 20:30:03

I log in w/ssh keys so didn't notice this immediately, but others login with a password plus a two-factor using YubiKey and they started failing at some point after the last updates were installed. After running:

Code: Select all

setsebool -P authlogin_yubikey on
it works again until the next reboot, however it does throw errors which might help:

Code: Select all

ssh logins:
[Cent-7:root@my_server home]# getsebool authlogin_yubikey
authlogin_yubikey --> off

[Cent-7:root@my_server home]# setsebool -P authlogin_yubikey on
libsepol.context_from_record: type gpio_device_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:gpio_device_t:s0 to sid
invalid context system_u:object_r:gpio_device_t:s0

[Cent-7:root@my_server home]# getsebool authlogin_yubikey
authlogin_yubikey --> on

[Cent-7:root@my_server home]# reboot

[Cent-7:root@my_server home]# getsebool authlogin_yubikey
authlogin_yubikey --> off

User avatar
TrevorH
Forum Moderator
Posts: 23205
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: 'setsebool -P' works but throws errors; changes not permanent

Post by TrevorH » 2018/06/14 21:46:42

There is something wrong with your system. It works here with no errors:

Code: Select all

[root@centos7 ~]# setsebool -P authlogin_yubikey on
[root@centos7 ~]# 
What's the output from rpm -qa selinux\* policy\* ?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

neutronsnowball
Posts: 15
Joined: 2016/10/27 18:09:29

Re: 'setsebool -P' works but throws errors; changes not permanent

Post by neutronsnowball » 2018/06/15 12:42:59

Ruh Roh! I don't like the sound of that! Here's the output:

Code: Select all

[Cent-7:root@my_server ~]# rpm -qa selinux\* policy\*
selinux-policy-targeted-3.13.1-192.el7_5.3.noarch
selinux-policy-3.13.1-192.el7_5.3.noarch
policycoreutils-2.5-22.el7.x86_64
policycoreutils-python-2.5-22.el7.x86_64
Thanks Trevor!

User avatar
TrevorH
Forum Moderator
Posts: 23205
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: 'setsebool -P' works but throws errors; changes not permanent

Post by TrevorH » 2018/06/15 13:33:46

Those are all the same as the ones I have installed. Do you get any output from running rpm -V against each of those packages? What I see here is

Code: Select all

[root@centos7 ~]# rpm -V $(rpm -qa selinux\* policy\*)
.M.......  g /etc/selinux/targeted/active/policy.linked
.M.......  g /etc/selinux/targeted/active/seusers
.M.......    /etc/selinux/targeted/active/users_extra
[root@centos7 ~]#
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

neutronsnowball
Posts: 15
Joined: 2016/10/27 18:09:29

Re: 'setsebool -P' works but throws errors; changes not permanent

Post by neutronsnowball » 2018/06/15 13:52:05

Similar:

Code: Select all

[Cent-7:root@my_server ~]# rpm -V $(rpm -qa selinux\* policy\*)
.M.......  g /etc/selinux/targeted/active/policy.linked
.M.......  g /etc/selinux/targeted/active/seusers

User avatar
TrevorH
Forum Moderator
Posts: 23205
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: 'setsebool -P' works but throws errors; changes not permanent

Post by TrevorH » 2018/06/15 14:00:09

Do you have any old custom policy files loaded in the output of semodule -l - specifically I talking about ones created by you?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

neutronsnowball
Posts: 15
Joined: 2016/10/27 18:09:29

Re: 'setsebool -P' works but throws errors; changes not permanent

Post by neutronsnowball » 2018/06/15 16:31:48

Good thought but no, there are no custom semanage policies on this machine.

Just ran 'rpm -Va' to check the entire system and found this difference of interest:

Code: Select all

S.5....T.  c /etc/yum.repos.d/CentOS-Base.repo
Affected server:

Code: Select all

[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
baseurl=http://olcentgbl.trafficmanager.net/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Non-affected server:

Code: Select all

[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
I don't recall changing this but didn't make a note of it if I did. Is this suspect?

neutronsnowball
Posts: 15
Joined: 2016/10/27 18:09:29

Re: 'setsebool -P' works but throws errors; changes not permanent

Post by neutronsnowball » 2018/06/15 18:58:37

This machine was built in Azure using one of their 'vanilla' templates. I suspect the repo was modified by the builder.
Has anyone attempted pointing back to the official centos repos? What kind of mess might I create by switching now?

neutronsnowball
Posts: 15
Joined: 2016/10/27 18:09:29

Re: 'setsebool -P' works but throws errors; changes not permanent

Post by neutronsnowball » 2018/06/15 20:54:02

UPDATE - the sebool policy reverts to off without needing a reboot. I do not know what is causing this.

Code: Select all

[Cent-7:root@my_server ~]# getsebool authlogin_yubikey
authlogin_yubikey --> off
[Cent-7:root@my_server ~]# uptime
 15:48:10 up 3 days,  8:11,  1 user,  load average: 0.35, 0.39, 0.40
[Cent-7:root@my_server ~]# setsebool -P authlogin_yubikey on
libsepol.context_from_record: type gpio_device_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:gpio_device_t:s0 to sid
invalid context system_u:object_r:gpio_device_t:s0
[Cent-7:root@my_server ~]# getsebool authlogin_yubikey
authlogin_yubikey --> on

neutronsnowball
Posts: 15
Joined: 2016/10/27 18:09:29

Re: 'setsebool -P' works but throws errors; changes not permanent

Post by neutronsnowball » 2018/06/18 18:16:55

Found this bug on Red Hat's site which has very similar symptoms and is resolved in policycoreutils-2.7-6.fc27. Unfortunately CentOS's version is at 2.5-22.el7. Verified that the default of the Boolean is set to "off" using semanage:

Code: Select all

[Cent-7:root@my_server ~]# semanage boolean -l | grep "authlogin_yubikey"
SELinux boolean                State  Default Description
...
authlogin_yubikey              (on   ,  off)  Allow authlogin to yubikey
As a workaround I added this cronjob to set this boolean to "on" every 15 minutes:

Code: Select all

*/15 * * * * /usr/sbin/setsebool -P authlogin_yubikey on |& /dev/null
Last edited by neutronsnowball on 2018/06/18 19:35:21, edited 1 time in total.

Post Reply