'setsebool -P' works but throws errors; changes not permanent

'setsebool -P' works but throws errors; changes not permanent

[Mike Hughes]

[-- Attachment #1: Type: text/plain, Size: 1363 bytes --]

We use Yubikey for two-factor ssh authentication which requires enabling a Boolean called "authlogin_yubikey". It has been working fine until a few weeks ago. Errors appear when attempting to set the policy:

--
[Cent-7:root@my_server home]# getsebool authlogin_yubikey
authlogin_yubikey --> off

[Cent-7:root@my_server home]# setsebool -P authlogin_yubikey on
libsepol.context_from_record: type gpio_device_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:gpio_device_t:s0 to sid
invalid context system_u:object_r:gpio_device_t:s0

[Cent-7:root@my_server home]# getsebool authlogin_yubikey
authlogin_yubikey --> on
---

The system accepts two-factor while the above is set to "on". After some undetermined time (or immediately after a reboot) the Boolean toggles off. This can be confirmed since semanage shows that the default is still set to "off":

--
[Cent-7:root@my_server ~]# semanage boolean -l | grep "authlogin_yubikey"
SELinux boolean                State  Default Description
...
authlogin_yubikey              (on   ,  off)  Allow authlogin to yubikey
--

It looks similar to the following bug on Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1559174

[-- Attachment #2: Type: text/html, Size: 4202 bytes --]

Re: 'setsebool -P' works but throws errors; changes not permanent

[Stephen Smalley]

On 06/18/2018 03:44 PM, Mike Hughes wrote:
> We use Yubikey for two-factor ssh authentication which requires enabling a Boolean called “authlogin_yubikey”. It has been working fine until a few weeks ago. Errors appear when attempting to set the policy:
> 
>  
> 
> --
> 
> [Cent-7:root@my_server home]# getsebool authlogin_yubikey
> 
> authlogin_yubikey --> off
> 
>  
> 
> [Cent-7:root@my_server home]# setsebool -P authlogin_yubikey on
> 
> libsepol.context_from_record: type gpio_device_t is not defined
> 
> libsepol.context_from_record: could not create context structure
> 
> libsepol.context_from_string: could not create context structure
> 
> libsepol.sepol_context_to_sid: could not convert system_u:object_r:gpio_device_t:s0 to sid
> 
> invalid context system_u:object_r:gpio_device_t:s0

Sounds like your policy is in an inconsistent internal state (somewhere you have a context with gpio_device_t but the type isn't defined in the policy).

What's your policy version?  And did it perhaps fail during %post when it was updated - check yum.log?

Does semodule -B fail?

Might have to move aside your policy and reinstall it.

> 
>  
> 
> [Cent-7:root@my_server home]# getsebool authlogin_yubikey
> 
> authlogin_yubikey --> on
> 
> ---
> 
>  
> 
> The system accepts two-factor while the above is set to “on”. After some undetermined time (or immediately after a reboot) the Boolean toggles off. This can be confirmed since semanage shows that the default is still set to “off”:
> 
>  
> 
> --
> 
> [Cent-7:root@my_server ~]# semanage boolean -l | grep "authlogin_yubikey"
> 
> SELinux boolean                State  Default Description
> 
> ...
> 
> authlogin_yubikey              (on   ,  off)  Allow authlogin to yubikey
> 
> --
> 
>  
> 
> It looks similar to the following bug on Fedora:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1559174
> 
> 
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 

RE: 'setsebool -P' works but throws errors; changes not permanent

[Mike Hughes]

> -----Original Message-----
> From: Stephen Smalley <sds@tycho.nsa.gov>
> Sent: Monday, June 18, 2018 15:28
> To: Mike Hughes <mike@visionary.com>; selinux@tycho.nsa.gov
> Subject: Re: 'setsebool -P' works but throws errors; changes not permanent
> 
> On 06/18/2018 03:44 PM, Mike Hughes wrote:
> > We use Yubikey for two-factor ssh authentication which requires enabling a Boolean
> called “authlogin_yubikey”. It has been working fine until a few weeks ago. Errors appear
> when attempting to set the policy:
> >
> >
> >
> > --
> >
> > [Cent-7:root@my_server home]# getsebool authlogin_yubikey
> >
> > authlogin_yubikey --> off
> >
> >
> >
> > [Cent-7:root@my_server home]# setsebool -P authlogin_yubikey on
> >
> > libsepol.context_from_record: type gpio_device_t is not defined
> >
> > libsepol.context_from_record: could not create context structure
> >
> > libsepol.context_from_string: could not create context structure
> >
> > libsepol.sepol_context_to_sid: could not convert system_u:object_r:gpio_device_t:s0 to
> sid
> >
> > invalid context system_u:object_r:gpio_device_t:s0
> 
> Sounds like your policy is in an inconsistent internal state (somewhere you have a context
> with gpio_device_t but the type isn't defined in the policy).
> 
> What's your policy version?  And did it perhaps fail during %post when it was updated -
> check yum.log?

Nothing stands out to me in yum.log


> Does semodule -B fail?

No, it completes without error:

--
[Cent-7:root@my_server ~]# semodule -B
[Cent-7:root@ my_server ~]# echo $?
0
[Cent-7:root@ my_server ~]#
--
> 
> Might have to move aside your policy and reinstall it.

How might one accomplish this?

> >
> > [Cent-7:root@my_server home]# getsebool authlogin_yubikey
> >
> > authlogin_yubikey --> on
> >
> > ---
> >
> >
> >
> > The system accepts two-factor while the above is set to “on”. After some undetermined
> time (or immediately after a reboot) the Boolean toggles off. This can be confirmed since
> semanage shows that the default is still set to “off”:
> >
> >
> >
> > --
> >
> > [Cent-7:root@my_server ~]# semanage boolean -l | grep "authlogin_yubikey"
> >
> > SELinux boolean                State  Default Description
> >
> > ...
> >
> > authlogin_yubikey              (on   ,  off)  Allow authlogin to yubikey
> >
> > --
> >
> >
> >
> > It looks similar to the following bug on Fedora:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1559174

Re: 'setsebool -P' works but throws errors; changes not permanent

[Stephen Smalley]

On 06/18/2018 04:33 PM, Mike Hughes wrote:
>> -----Original Message-----
>> From: Stephen Smalley <sds@tycho.nsa.gov>
>> Sent: Monday, June 18, 2018 15:28
>> To: Mike Hughes <mike@visionary.com>; selinux@tycho.nsa.gov
>> Subject: Re: 'setsebool -P' works but throws errors; changes not permanent
>>
>> On 06/18/2018 03:44 PM, Mike Hughes wrote:
>>> We use Yubikey for two-factor ssh authentication which requires enabling a Boolean
>> called “authlogin_yubikey”. It has been working fine until a few weeks ago. Errors appear
>> when attempting to set the policy:
>>>
>>>
>>>
>>> --
>>>
>>> [Cent-7:root@my_server home]# getsebool authlogin_yubikey
>>>
>>> authlogin_yubikey --> off
>>>
>>>
>>>
>>> [Cent-7:root@my_server home]# setsebool -P authlogin_yubikey on
>>>
>>> libsepol.context_from_record: type gpio_device_t is not defined
>>>
>>> libsepol.context_from_record: could not create context structure
>>>
>>> libsepol.context_from_string: could not create context structure
>>>
>>> libsepol.sepol_context_to_sid: could not convert system_u:object_r:gpio_device_t:s0 to
>> sid
>>>
>>> invalid context system_u:object_r:gpio_device_t:s0
>>
>> Sounds like your policy is in an inconsistent internal state (somewhere you have a context
>> with gpio_device_t but the type isn't defined in the policy).
>>
>> What's your policy version?  And did it perhaps fail during %post when it was updated -
>> check yum.log?
> 
> Nothing stands out to me in yum.log

There would have been error messages during the update of the selinux-policy-targeted package.

You didn't mention your policy version.  On an updated CentOS 7 VM, I see:
$ rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-192.el7_5.3.noarch

And it has gpio_device_t defined:
$ seinfo -t | grep gpio_device_t
gpio_device_t

And this type is used in file_contexts:
$ semanage fcontext -l | grep gpio_device_t
/dev/gpiochip[0-9]+	character device	system_u:object_r:gpio_device_t:s0

> 
> 
>> Does semodule -B fail?
> 
> No, it completes without error:
> 
> --
> [Cent-7:root@my_server ~]# semodule -B
> [Cent-7:root@ my_server ~]# echo $?
> 0
> [Cent-7:root@ my_server ~]#
> --
>>
>> Might have to move aside your policy and reinstall it.
> 
> How might one accomplish this?

You could try first to just reinstall the package, e.g. yum reinstall selinux-policy-targeted.

If that doesn't resolve it, then export any local customizations you have and move aside your active policy store and try again, ala
semanage export -f exports
mv /etc/selinux/targeted/active /etc/selinux/targeted/active.old
yum reinstall selinux-policy-targeted

Then check that everything in the exports file is something you want to preserve, and if so, re-import it.
cat exports
semanage import -f exports

If that doesn't resolve it, you could move aside the entire policy tree and try again, ala
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy-targeted

And then re-import your exports if desired/appropriate.

You may also have to re-insert any local policy modules you have defined; I don't think export/import handles modules, just other changes.

> 
>>>
>>> [Cent-7:root@my_server home]# getsebool authlogin_yubikey
>>>
>>> authlogin_yubikey --> on
>>>
>>> ---
>>>
>>>
>>>
>>> The system accepts two-factor while the above is set to “on”. After some undetermined
>> time (or immediately after a reboot) the Boolean toggles off. This can be confirmed since
>> semanage shows that the default is still set to “off”:
>>>
>>>
>>>
>>> --
>>>
>>> [Cent-7:root@my_server ~]# semanage boolean -l | grep "authlogin_yubikey"
>>>
>>> SELinux boolean                State  Default Description
>>>
>>> ...
>>>
>>> authlogin_yubikey              (on   ,  off)  Allow authlogin to yubikey
>>>
>>> --
>>>
>>>
>>>
>>> It looks similar to the following bug on Fedora:
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1559174
> 
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 

RE: 'setsebool -P' works but throws errors; changes not permanent

[Mike Hughes]

> -----Original Message-----
> From: Stephen Smalley <sds@tycho.nsa.gov>
> Sent: Tuesday, June 19, 2018 07:39
> 
> On 06/18/2018 04:33 PM, Mike Hughes wrote:
> >> -----Original Message-----
> >> From: Stephen Smalley <sds@tycho.nsa.gov>
> >> Sent: Monday, June 18, 2018 15:28
> >> On 06/18/2018 03:44 PM, Mike Hughes wrote:
> >>> We use Yubikey for two-factor ssh authentication which requires enabling a Boolean
> >> called “authlogin_yubikey”. It has been working fine until a few weeks ago. Errors
> appear
> >> when attempting to set the policy:
> >>>
> >>> --
> >>> [Cent-7:root@my_server home]# getsebool authlogin_yubikey
> >>> authlogin_yubikey --> off
> >>>
> >>> [Cent-7:root@my_server home]# setsebool -P authlogin_yubikey on
> >>> libsepol.context_from_record: type gpio_device_t is not defined
> >>> libsepol.context_from_record: could not create context structure
> >>> libsepol.context_from_string: could not create context structure
> >>> libsepol.sepol_context_to_sid: could not convert system_u:object_r:gpio_device_t:s0 to
> >> sid
> >>> invalid context system_u:object_r:gpio_device_t:s0
> >>
> >> Sounds like your policy is in an inconsistent internal state (somewhere you have a
> context
> >> with gpio_device_t but the type isn't defined in the policy).
> >>
> >> What's your policy version?  And did it perhaps fail during %post when it was updated -
> >> check yum.log?
> >
> > Nothing stands out to me in yum.log
> 
> There would have been error messages during the update of the selinux-policy-targeted
> package.
> 
> You didn't mention your policy version.  On an updated CentOS 7 VM, I see:
> $ rpm -q selinux-policy-targeted
> selinux-policy-targeted-3.13.1-192.el7_5.3.noarch
> 
> And it has gpio_device_t defined:
> $ seinfo -t | grep gpio_device_t
> gpio_device_t
> 
> And this type is used in file_contexts:
> $ semanage fcontext -l | grep gpio_device_t
> /dev/gpiochip[0-9]+	character device	system_u:object_r:gpio_device_t:s0

Thank you for the suggestions. I received the same responses, though the last one needed to be run as root.

> 
> >
> >
> >> Does semodule -B fail?
> >
> > No, it completes without error:
> >
> > --
> > [Cent-7:root@my_server ~]# semodule -B
> > [Cent-7:root@ my_server ~]# echo $?
> > 0
> > [Cent-7:root@ my_server ~]#
> > --
> >>
> >> Might have to move aside your policy and reinstall it.
> >
> > How might one accomplish this?
> 
> You could try first to just reinstall the package, e.g. yum reinstall selinux-policy-
> targeted.

This appears to have resolved the issue. After reinstalling the policy setsebool does not throw errors and ' semanage boolean -l ' indicates that the default state is set to "on":

--
[Cent-7:root@my_server ~]# getsebool authlogin_yubikey
authlogin_yubikey --> off
[Cent-7:root@ my_server ~]# setsebool -P authlogin_yubikey on
[Cent-7:root@ my_server ~]# semanage boolean -l | grep "authlogin_yubikey"
authlogin_yubikey              (on   ,   on)  Allow authlogin to yubikey
--

> 
> If that doesn't resolve it, then export any local customizations you have and move aside
> your active policy store and try again, ala
> semanage export -f exports
> mv /etc/selinux/targeted/active /etc/selinux/targeted/active.old
> yum reinstall selinux-policy-targeted
> 
> Then check that everything in the exports file is something you want to preserve, and if
> so, re-import it.
> cat exports
> semanage import -f exports
> 
> If that doesn't resolve it, you could move aside the entire policy tree and try again, ala
> mv /etc/selinux/targeted /etc/selinux/targeted.old
> yum reinstall selinux-policy-targeted
> 
> And then re-import your exports if desired/appropriate.
> 
> You may also have to re-insert any local policy modules you have defined; I don't think
> export/import handles modules, just other changes.

Thank you for the sledgehammers! I'll keep these around for next time.
-Mike

> >>> [Cent-7:root@my_server home]# getsebool authlogin_yubikey
> >>> authlogin_yubikey --> on
> >>> ---
> >>>
> >>> The system accepts two-factor while the above is set to “on”. After some undetermined
> >> time (or immediately after a reboot) the Boolean toggles off. This can be confirmed
> since
> >> semanage shows that the default is still set to “off”:
> >>>
> >>> --
> >>> [Cent-7:root@my_server ~]# semanage boolean -l | grep "authlogin_yubikey"
> >>> SELinux boolean                State  Default Description
> >>> ...
> >>> authlogin_yubikey              (on   ,  off)  Allow authlogin to yubikey
> >>> --
> >>>
> >>> It looks similar to the following bug on Fedora:
> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1559174

Re: 'setsebool -P' works but throws errors; changes not permanent

[Jalus Bilieyich]

On Mon, 18 Jun 2018 19:44:10 +0000
Mike Hughes <mike@visionary.com> wrote:

> We use Yubikey for two-factor ssh authentication which requires enabling a Boolean called "authlogin_yubikey". It has been working fine until a few weeks ago. Errors appear when attempting to set the policy:
> 
> --
> [Cent-7:root@my_server home]# getsebool authlogin_yubikey
> authlogin_yubikey --> off
> 
> [Cent-7:root@my_server home]# setsebool -P authlogin_yubikey on
> libsepol.context_from_record: type gpio_device_t is not defined
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> libsepol.sepol_context_to_sid: could not convert system_u:object_r:gpio_device_t:s0 to sid
> invalid context system_u:object_r:gpio_device_t:s0
> 
> [Cent-7:root@my_server home]# getsebool authlogin_yubikey
> authlogin_yubikey --> on
> ---
> 
> The system accepts two-factor while the above is set to "on". After some undetermined time (or immediately after a reboot) the Boolean toggles off. This can be confirmed since semanage shows that the default is still set to "off":
> 
> --
> [Cent-7:root@my_server ~]# semanage boolean -l | grep "authlogin_yubikey"
> SELinux boolean                State  Default Description
> ...
> authlogin_yubikey              (on   ,  off)  Allow authlogin to yubikey
> --
> 
> It looks similar to the following bug on Fedora:
> https://bugzilla.redhat.com/show_bug.cgi?id=1559174


-- 
Jalus Bilieyich <countolaf17@gmail.com>