View Issue Details

IDProjectCategoryView StatusLast Update
0000063AlmaLinux-8selinux-policypublic2021-06-10 09:55
Reporterluboslives Assigned Toalukoshko  
PrioritynormalSeverityblockReproducibilityhave not tried
Status assignedResolutionopen 
OSAlmaLinux from CentOS 8OS Version8.3 Stable 
Summary0000063: Unable to allow custom SSH port through SELinux policy
DescriptionI'm not very familiar with SELinux at all, so I can't give much more detail, but I know that when I want to use a custom port for SSH I first have to create an SELinux policy which permits this. This has resulted in an error which seems tied to the OS, check the Steps below.
Steps To ReproduceAttempt to allow a custom port for SSH, for example port 1234:

semanage port -a -t ssh_port_t -p tcp 1234

Results in the following error (emphasis on the last line):

Traceback (most recent call last):
  File "/usr/sbin/semanage", line 975, in <module>
    do_parser()
  File "/usr/sbin/semanage", line 952, in do_parser
    commandParser = createCommandParser()
  File "/usr/sbin/semanage", line 882, in createCommandParser
    import seobject
  File "/usr/lib/python3.6/site-packages/seobject.py", line 33, in <module>
    import sepolicy
  File "/usr/lib/python3.6/site-packages/sepolicy/__init__.py", line 7, in <module>
    import setools
  File "/usr/lib64/python3.6/site-packages/setools/__init__.py", line 24, in <module>
    __version__ = pkg_resources.get_distribution("setools").version
AttributeError: module 'pkg_resources' has no attribute 'get_distribution'

Additionally, when I went to check on SELinux inside Cockpit, I see:

"Error running semanage to discover system modifications"
Additional InformationFor background, I set up a fresh install of CentOS 8 on a VPS a couple of days ago and then ran the "almalinux-deploy" migration script. So far so good! This is the only issue I've run into.
TagsNo tags attached.
abrt_hash
URL

Activities

alukoshko

2021-04-15 14:02

developer   ~0000151

Hello and thank you for report.
Looks like policycoreutils should be patched to detect AlmaLinux correctly.
We'll prepare an update for it asap.

alukoshko

2021-04-16 11:05

developer   ~0000153

So you have this issue after migration right?
I wasn't able to reproduce the issue on fresh AlmaLinux install.

luboslives

2021-04-16 11:49

reporter   ~0000154

Yes after migrating from CentOS 8. Is there a chance the issue could be with Python and its modules/packages? I updated what I could with pip - whatever didn't fail to build - just a handful of packages. But yesterday I had to downgrade 3 of them to get a CLI utility (b2) to work.

Here's what I have installed according to pip:

arrow 0.17.0
b2 2.3.0
b2sdk 1.6.0
certifi 2020.12.5
chardet 4.0.0
configobj 5.0.6
dbus-python 1.2.4
decorator 5.0.7
docutils 0.16
ethtool 0.14
funcsigs 1.0.2
gpg 1.13.1
idna 2.10
imageio 2.9.0
importlib-metadata 3.10.1
iniparse 0.5
iotop 0.6
isc 2.0
logfury 0.1.2
NeuroTools 0.3.1
nftables 0.1
numpy 1.19.5
perf 0.1
phx-class-registry 3.0.5
Pillow 8.2.0
pip 21.0.1
ply 3.11
pycairo 1.16.3
pydbus 0.6.0
pygobject 3.28.3
pyinotify 0.9.6
PySocks 1.7.1
python-dateutil 2.8.1
python-dmidecode 3.12.2
python-linux-procfs 0.6.2
pyudev 0.22.0
PyYAML 3.12
requests 2.25.1
rpm 4.14.3
rst2ansi 0.1.5
schedutils 0.6
selinux 2.9
sepolicy 1.1
setools 4.3.0
setroubleshoot 1.1
setuptools 56.0.0
six 1.15.0
slip 0.6.4
slip.dbus 0.6.4
sos 3.9
SSSDConfig 2.3.0
subscription-manager 1.27.18
syspurpose 1.27.18
systemd-python 234
tqdm 4.60.0
typing-extensions 3.7.4.3
urllib3 1.26.4
zipp 3.4.1

And here's what I have installed according to dnf:

platform-python.x86_64 3.6.8-31.el8.alma @baseos
platform-python-pip.noarch 9.0.3-18.el8 @baseos
platform-python-setuptools.noarch 39.2.0-6.el8 @baseos
policycoreutils-python-utils.noarch 2.9-9.el8 @baseos
python-srpm-macros.noarch 3-39.el8 @appstream
python3-audit.x86_64 3.0-0.17.20191104git1c2f876.el8 @baseos
python3-bind.noarch 32:9.11.20-5.el8_3.1 @baseos
python3-cairo.x86_64 1.16.3-6.el8 @baseos
python3-chardet.noarch 3.0.4-7.el8 @baseos
python3-configobj.noarch 5.0.6-11.el8 @baseos
python3-dateutil.noarch 1:2.6.1-6.el8 @baseos
python3-dbus.x86_64 1.2.4-15.el8 @baseos
python3-decorator.noarch 4.2.1-2.el8 @baseos
python3-dmidecode.x86_64 3.12.2-15.el8 @baseos
python3-dnf.noarch 4.2.23-4.el8 @baseos
python3-dnf-plugins-core.noarch 4.0.17-5.el8 @baseos
python3-docutils.noarch 0.14-12.module_el8.3.0+6191+6b4b10ec @appstream
python3-ethtool.x86_64 0.14-3.el8 @baseos
python3-firewall.noarch 0.8.2-2.el8 @baseos
python3-gobject.x86_64 3.28.3-2.el8 @baseos
python3-gobject-base.x86_64 3.28.3-2.el8 @baseos
python3-gpg.x86_64 1.13.1-3.el8 @baseos
python3-hawkey.x86_64 0.48.0-5.el8.alma @baseos
python3-idna.noarch 2.5-5.el8 @baseos
python3-iniparse.noarch 0.4-31.el8 @baseos
python3-inotify.noarch 0.9.6-13.el8 @baseos
python3-libcomps.x86_64 0.1.11-4.el8 @baseos
python3-libdnf.x86_64 0.48.0-5.el8.alma @baseos
python3-librepo.x86_64 1.12.0-2.el8 @baseos
python3-libs.x86_64 3.6.8-31.el8.alma @baseos
python3-libselinux.x86_64 2.9-4.el8_3 @baseos
python3-libsemanage.x86_64 2.9-3.el8 @baseos
python3-libstoragemgmt.noarch 1.8.3-2.el8 @baseos
python3-libstoragemgmt-clibs.x86_64 1.8.3-2.el8 @baseos
python3-libxml2.x86_64 2.9.7-8.el8 @baseos
python3-linux-procfs.noarch 0.6.2-2.el8 @baseos
python3-nftables.x86_64 1:0.9.3-16.el8 @baseos
python3-perf.x86_64 4.18.0-240.22.1.el8_3 @baseos
python3-pip.noarch 9.0.3-18.el8 @appstream
python3-pip-wheel.noarch 9.0.3-18.el8 @baseos
python3-ply.noarch 3.9-8.el8 @baseos
python3-policycoreutils.noarch 2.9-9.el8 @baseos
python3-pydbus.noarch 0.6.0-5.el8 @baseos
python3-pysocks.noarch 1.6.8-3.el8 @baseos
python3-pyudev.noarch 0.21.0-7.el8 @baseos
python3-pyyaml.x86_64 3.12-12.el8 @baseos
python3-requests.noarch 2.20.0-2.1.el8 @baseos
python3-rpm.x86_64 4.14.3-4.el8 @baseos
python3-rpm-macros.noarch 3-39.el8 @appstream
python3-schedutils.x86_64 0.6-6.el8 @baseos
python3-setools.x86_64 4.3.0-2.el8 @baseos
python3-setuptools.noarch 39.2.0-6.el8 @baseos
python3-setuptools-wheel.noarch 39.2.0-6.el8 @baseos
python3-six.noarch 1.11.0-8.el8 @baseos
python3-slip.noarch 0.6.4-11.el8 @baseos
python3-slip-dbus.noarch 0.6.4-11.el8 @baseos
python3-sssdconfig.noarch 2.3.0-9.el8 @baseos
python3-subscription-manager-rhsm.x86_64 1.27.18-1.el8_3.alma.1 @baseos
python3-syspurpose.x86_64 1.27.18-1.el8_3.alma.1 @baseos
python3-systemd.x86_64 234-8.el8 @baseos
python3-unbound.x86_64 1.7.3-14.el8 @baseos
python3-urllib3.noarch 1.24.2-4.el8 @baseos
python36.x86_64 3.6.8-2.module_el8.3.0+6191+6b4b10ec @appstream

Sorry don't know if I can monospace that here.

alukoshko

2021-06-08 19:48

developer   ~0000265

Hello. Is issue still occur on 8.4?
I still can't reproduce it.

luboslives

2021-06-10 09:55

reporter   ~0000272

Hi, I've updated the VPS to 8.4 along with all of the latest packages including the Python updates, and the latest kernel. I still get the same error as in the first post, in the traceback.

I did a bit of googling to see if I could get extra info from SELinux, so I tried setting the same custom SSH port policy and then tried `sealert -a /var/log/audit/audit.log` to get more info, but this actually leads to another error (sorry to pile on, but maybe this is relevant to SEL as well):

Traceback (most recent call last):
  File "/usr/bin/sealert", line 57, in <module>
    from setroubleshoot.util import get_identity, load_plugins, log_init, log_debug
  File "/usr/lib/python3.6/site-packages/setroubleshoot/util.py", line 2, in <module>
    from six.moves import range
ModuleNotFoundError: No module named 'six'

Issue History

Date Modified Username Field Change
2021-04-15 12:06 luboslives New Issue
2021-04-15 14:00 alukoshko Assigned To => alukoshko
2021-04-15 14:00 alukoshko Status new => assigned
2021-04-15 14:02 alukoshko Note Added: 0000151
2021-04-16 11:05 alukoshko Note Added: 0000153
2021-04-16 11:49 luboslives Note Added: 0000154
2021-06-08 19:48 alukoshko Note Added: 0000265
2021-06-10 09:55 luboslives Note Added: 0000272