故障原因分析
CentOS8系统安装policycoreutils-python-utils-2.9-16.el8.noarch后,能够通过semanage正常添加自定义ssh端口,随后对系统执行dnf update更新系统后发现原来添加的自定义ssh端口失效,如下
[root@vps ~]# getenforce
Enforcing
[root@vps ~]# semanage port -l | grep ssh
ssh_port_t tcp 22 //仅剩下原默认端口
重新添加出现以下报错信息
[root@vps ~]# semanage port -a -t ssh_port_t -p tcp 44422
libsepol.context_from_record: type kdump_var_lib_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:kdump_var_lib_t:s0 to sid
invalid context system_u:object_r:kdump_var_lib_t:s0
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 255.
OSError: [Errno 0] Error
[root@vps ~]#
由此可知故障为升级系统导致,通过分析确定解决方法为重装selinux-policy。
故障处理步骤
1.卸载semanage
[root@vps ~]# dnf remove policycoreutils-python-utils-2.9-16.el8.noarch
Repository cr is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository extras-source is listed more than once in the configuration
Repository fasttrack is listed more than once in the configuration
Dependencies resolved.
===========================================================================================================================================
Package Architecture Version Repository Size
===========================================================================================================================================
Removing:
policycoreutils-python-utils noarch 2.9-16.el8 @BaseOS 138 k
Removing dependent packages:
setroubleshoot-plugins noarch 3.3.14-1.el8 @AppStream 2.6 M
setroubleshoot-server x86_64 3.3.24-4.el8 @AppStream 1.3 M
Removing unused dependencies:
checkpolicy x86_64 2.9-1.el8 @BaseOS 1.7 M
python3-audit x86_64 3.0-0.17.20191104git1c2f876.el8 @BaseOS 325 k
python3-libsemanage x86_64 2.9-6.el8 @BaseOS 438 k
python3-policycoreutils noarch 2.9-16.el8 @BaseOS 5.4 M
python3-setools x86_64 4.3.0-2.el8 @BaseOS 2.6 M
Transaction Summary
===========================================================================================================================================
Remove 8 Packages
Freed space: 14 M
Is this ok [y/N]: y
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Erasing : setroubleshoot-plugins-3.3.14-1.el8.noarch 1/8
Erasing : setroubleshoot-server-3.3.24-4.el8.x86_64 2/8
Running scriptlet: setroubleshoot-server-3.3.24-4.el8.x86_64 2/8
Erasing : policycoreutils-python-utils-2.9-16.el8.noarch 3/8
Erasing : python3-policycoreutils-2.9-16.el8.noarch 4/8
Erasing : python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64 5/8
Erasing : checkpolicy-2.9-1.el8.x86_64 6/8
Erasing : python3-libsemanage-2.9-6.el8.x86_64 7/8
Erasing : python3-setools-4.3.0-2.el8.x86_64 8/8
Running scriptlet: python3-setools-4.3.0-2.el8.x86_64 8/8
Verifying : checkpolicy-2.9-1.el8.x86_64 1/8
Verifying : policycoreutils-python-utils-2.9-16.el8.noarch 2/8
Verifying : python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64 3/8
Verifying : python3-libsemanage-2.9-6.el8.x86_64 4/8
Verifying : python3-policycoreutils-2.9-16.el8.noarch 5/8
Verifying : python3-setools-4.3.0-2.el8.x86_64 6/8
Verifying : setroubleshoot-plugins-3.3.14-1.el8.noarch 7/8
Verifying : setroubleshoot-server-3.3.24-4.el8.x86_64 8/8
Removed:
checkpolicy-2.9-1.el8.x86_64 policycoreutils-python-utils-2.9-16.el8.noarch
python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64 python3-libsemanage-2.9-6.el8.x86_64
python3-policycoreutils-2.9-16.el8.noarch python3-setools-4.3.0-2.el8.x86_64
setroubleshoot-plugins-3.3.14-1.el8.noarch setroubleshoot-server-3.3.24-4.el8.x86_64
Complete!
[root@vps ~]#
2.卸载selinux-policy并重启系统
[root@vps ~]# dnf remove selinux-policy*
Repository cr is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository extras-source is listed more than once in the configuration
Repository fasttrack is listed more than once in the configuration
Dependencies resolved.
===========================================================================================================================================
Package Architecture Version Repository Size
===========================================================================================================================================
Removing:
selinux-policy noarch 3.14.3-41.el8 @anaconda 24 k
selinux-policy noarch 3.14.3-80.el8_5.2 @BaseOS 24 k
selinux-policy-targeted noarch 3.14.3-41.el8 @anaconda 50 M
selinux-policy-targeted noarch 3.14.3-80.el8_5.2 @BaseOS 50 M
Removing unused dependencies:
rpm-plugin-selinux x86_64 4.14.2-37.el8 @anaconda 12 k
rpm-plugin-selinux x86_64 4.14.3-19.el8 @BaseOS 12 k
Transaction Summary
===========================================================================================================================================
Remove 6 Packages
Freed space: 100 M
Is this ok [y/N]: y
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Erasing : selinux-policy-targeted-3.14.3-80.el8_5.2.noarch 1/6
Running scriptlet: selinux-policy-targeted-3.14.3-80.el8_5.2.noarch 1/6
Erasing : selinux-policy-3.14.3-80.el8_5.2.noarch 2/6
Running scriptlet: selinux-policy-3.14.3-80.el8_5.2.noarch 2/6
Erasing : rpm-plugin-selinux-4.14.3-19.el8.x86_64 3/6
Erasing : selinux-policy-3.14.3-41.el8.noarch 4/6
Running scriptlet: selinux-policy-3.14.3-41.el8.noarch 4/6
Erasing : rpm-plugin-selinux-4.14.2-37.el8.x86_64 5/6
Erasing : selinux-policy-targeted-3.14.3-41.el8.noarch 6/6
Running scriptlet: selinux-policy-targeted-3.14.3-41.el8.noarch 6/6
Verifying : rpm-plugin-selinux-4.14.2-37.el8.x86_64 1/6
Verifying : rpm-plugin-selinux-4.14.3-19.el8.x86_64 2/6
Verifying : selinux-policy-3.14.3-41.el8.noarch 3/6
Verifying : selinux-policy-3.14.3-80.el8_5.2.noarch 4/6
Verifying : selinux-policy-targeted-3.14.3-41.el8.noarch 5/6
Verifying : selinux-policy-targeted-3.14.3-80.el8_5.2.noarch 6/6
Removed:
rpm-plugin-selinux-4.14.2-37.el8.x86_64 rpm-plugin-selinux-4.14.3-19.el8.x86_64 selinux-policy-3.14.3-41.el8.noarch
selinux-policy-3.14.3-80.el8_5.2.noarch selinux-policy-targeted-3.14.3-41.el8.noarch selinux-policy-targeted-3.14.3-80.el8_5.2.noarch
Complete!
[root@vps ~]# getenforce
Permissive //注:在重装selinux-policy前重启系统,严禁将selinux配置文件改为enforcing模式,否则系统无法启动!!!
[root@vps ~]# reboot
3.重装selinux-policy
[root@vps ~]# dnf install selinux-policy*
Repository cr is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository extras-source is listed more than once in the configuration
Repository fasttrack is listed more than once in the configuration
Last metadata expiration check: 0:46:56 ago on Fri 14 Jan 2022 10:04:16 PM PST.
Dependencies resolved.
===========================================================================================================================================
Package Architecture Version Repository Size
===========================================================================================================================================
Installing:
selinux-policy noarch 3.14.3-80.el8_5.2 BaseOS 636 k
selinux-policy-devel noarch 3.14.3-80.el8_5.2 BaseOS 1.5 M
selinux-policy-doc noarch 3.14.3-80.el8_5.2 BaseOS 2.8 M
selinux-policy-minimum noarch 3.14.3-80.el8_5.2 BaseOS 13 M
selinux-policy-mls noarch 3.14.3-80.el8_5.2 BaseOS 7.3 M
selinux-policy-sandbox noarch 3.14.3-80.el8_5.2 BaseOS 634 k
selinux-policy-targeted noarch 3.14.3-80.el8_5.2 BaseOS 15 M
Installing dependencies:
checkpolicy x86_64 2.9-1.el8 BaseOS 348 k
m4 x86_64 1.4.18-7.el8 BaseOS 223 k
make x86_64 1:4.2.1-10.el8 BaseOS 498 k
mcstrans x86_64 2.9-2.el8 BaseOS 136 k
policycoreutils-devel x86_64 2.9-16.el8 BaseOS 292 k
policycoreutils-newrole x86_64 2.9-16.el8 BaseOS 199 k
policycoreutils-python-utils noarch 2.9-16.el8 BaseOS 252 k
python3-audit x86_64 3.0-0.17.20191104git1c2f876.el8 BaseOS 86 k
python3-libsemanage x86_64 2.9-6.el8 BaseOS 127 k
python3-policycoreutils noarch 2.9-16.el8 BaseOS 2.2 M
python3-setools x86_64 4.3.0-2.el8 BaseOS 626 k
rpm-plugin-selinux x86_64 4.14.3-19.el8 BaseOS 77 k
Transaction Summary
===========================================================================================================================================
Install 19 Packages
Total size: 46 M
Total download size: 30 M
Installed size: 158 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] rpm-plugin-selinux-4.14.3-19.el8.x86_64.rpm: Already downloaded
[SKIPPED] selinux-policy-3.14.3-80.el8_5.2.noarch.rpm: Already downloaded
[SKIPPED] selinux-policy-targeted-3.14.3-80.el8_5.2.noarch.rpm: Already downloaded
(4/19): m4-1.4.18-7.el8.x86_64.rpm 207 kB/s | 223 kB 00:01
(5/19): checkpolicy-2.9-1.el8.x86_64.rpm 225 kB/s | 348 kB 00:01
(6/19): mcstrans-2.9-2.el8.x86_64.rpm 288 kB/s | 136 kB 00:00
(7/19): make-4.2.1-10.el8.x86_64.rpm 262 kB/s | 498 kB 00:01
(8/19): policycoreutils-newrole-2.9-16.el8.x86_64.rpm 361 kB/s | 199 kB 00:00
(9/19): policycoreutils-devel-2.9-16.el8.x86_64.rpm 396 kB/s | 292 kB 00:00
(10/19): python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64.rpm 285 kB/s | 86 kB 00:00
(11/19): policycoreutils-python-utils-2.9-16.el8.noarch.rpm 493 kB/s | 252 kB 00:00
(12/19): python3-libsemanage-2.9-6.el8.x86_64.rpm 343 kB/s | 127 kB 00:00
(13/19): python3-setools-4.3.0-2.el8.x86_64.rpm 758 kB/s | 626 kB 00:00
(14/19): selinux-policy-devel-3.14.3-80.el8_5.2.noarch.rpm 1.0 MB/s | 1.5 MB 00:01
(15/19): python3-policycoreutils-2.9-16.el8.noarch.rpm 1.1 MB/s | 2.2 MB 00:02
(16/19): selinux-policy-doc-3.14.3-80.el8_5.2.noarch.rpm 1.6 MB/s | 2.8 MB 00:01
(17/19): selinux-policy-sandbox-3.14.3-80.el8_5.2.noarch.rpm 1.3 MB/s | 634 kB 00:00
(18/19): selinux-policy-mls-3.14.3-80.el8_5.2.noarch.rpm 1.8 MB/s | 7.3 MB 00:04
(19/19): selinux-policy-minimum-3.14.3-80.el8_5.2.noarch.rpm 1.8 MB/s | 13 MB 00:07
-------------------------------------------------------------------------------------------------------------------------------------------
Total 2.6 MB/s | 30 MB 00:11
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : make-1:4.2.1-10.el8.x86_64 1/19
Running scriptlet: make-1:4.2.1-10.el8.x86_64 1/19
Installing : checkpolicy-2.9-1.el8.x86_64 2/19
Installing : python3-setools-4.3.0-2.el8.x86_64 3/19
Installing : python3-libsemanage-2.9-6.el8.x86_64 4/19
Installing : python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64 5/19
Installing : python3-policycoreutils-2.9-16.el8.noarch 6/19
Installing : policycoreutils-python-utils-2.9-16.el8.noarch 7/19
Installing : rpm-plugin-selinux-4.14.3-19.el8.x86_64 8/19
Installing : selinux-policy-3.14.3-80.el8_5.2.noarch 9/19
Running scriptlet: selinux-policy-3.14.3-80.el8_5.2.noarch 9/19
Running scriptlet: selinux-policy-minimum-3.14.3-80.el8_5.2.noarch 10/19
Installing : selinux-policy-minimum-3.14.3-80.el8_5.2.noarch 10/19
Running scriptlet: selinux-policy-minimum-3.14.3-80.el8_5.2.noarch 10/19
Running scriptlet: selinux-policy-targeted-3.14.3-80.el8_5.2.noarch 11/19
Installing : selinux-policy-targeted-3.14.3-80.el8_5.2.noarch 11/19
Running scriptlet: selinux-policy-targeted-3.14.3-80.el8_5.2.noarch 11/19
Installing : policycoreutils-newrole-2.9-16.el8.x86_64 12/19
Installing : mcstrans-2.9-2.el8.x86_64 13/19
Running scriptlet: mcstrans-2.9-2.el8.x86_64 13/19
Installing : m4-1.4.18-7.el8.x86_64 14/19
Running scriptlet: m4-1.4.18-7.el8.x86_64 14/19
Installing : policycoreutils-devel-2.9-16.el8.x86_64 15/19
Installing : selinux-policy-devel-3.14.3-80.el8_5.2.noarch 16/19
Running scriptlet: selinux-policy-devel-3.14.3-80.el8_5.2.noarch 16/19
Running scriptlet: selinux-policy-mls-3.14.3-80.el8_5.2.noarch 17/19
Installing : selinux-policy-mls-3.14.3-80.el8_5.2.noarch 17/19
Running scriptlet: selinux-policy-mls-3.14.3-80.el8_5.2.noarch 17/19
Installing : selinux-policy-sandbox-3.14.3-80.el8_5.2.noarch 18/19
Running scriptlet: selinux-policy-sandbox-3.14.3-80.el8_5.2.noarch 18/19
Installing : selinux-policy-doc-3.14.3-80.el8_5.2.noarch 19/19
Running scriptlet: selinux-policy-doc-3.14.3-80.el8_5.2.noarch 19/19
Verifying : checkpolicy-2.9-1.el8.x86_64 1/19
Verifying : m4-1.4.18-7.el8.x86_64 2/19
Verifying : make-1:4.2.1-10.el8.x86_64 3/19
Verifying : mcstrans-2.9-2.el8.x86_64 4/19
Verifying : policycoreutils-devel-2.9-16.el8.x86_64 5/19
Verifying : policycoreutils-newrole-2.9-16.el8.x86_64 6/19
Verifying : policycoreutils-python-utils-2.9-16.el8.noarch 7/19
Verifying : python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64 8/19
Verifying : python3-libsemanage-2.9-6.el8.x86_64 9/19
Verifying : python3-policycoreutils-2.9-16.el8.noarch 10/19
Verifying : python3-setools-4.3.0-2.el8.x86_64 11/19
Verifying : rpm-plugin-selinux-4.14.3-19.el8.x86_64 12/19
Verifying : selinux-policy-3.14.3-80.el8_5.2.noarch 13/19
Verifying : selinux-policy-devel-3.14.3-80.el8_5.2.noarch 14/19
Verifying : selinux-policy-doc-3.14.3-80.el8_5.2.noarch 15/19
Verifying : selinux-policy-minimum-3.14.3-80.el8_5.2.noarch 16/19
Verifying : selinux-policy-mls-3.14.3-80.el8_5.2.noarch 17/19
Verifying : selinux-policy-sandbox-3.14.3-80.el8_5.2.noarch 18/19
Verifying : selinux-policy-targeted-3.14.3-80.el8_5.2.noarch 19/19
Installed:
checkpolicy-2.9-1.el8.x86_64 m4-1.4.18-7.el8.x86_64
make-1:4.2.1-10.el8.x86_64 mcstrans-2.9-2.el8.x86_64
policycoreutils-devel-2.9-16.el8.x86_64 policycoreutils-newrole-2.9-16.el8.x86_64
policycoreutils-python-utils-2.9-16.el8.noarch python3-audit-3.0-0.17.20191104git1c2f876.el8.x86_64
python3-libsemanage-2.9-6.el8.x86_64 python3-policycoreutils-2.9-16.el8.noarch
python3-setools-4.3.0-2.el8.x86_64 rpm-plugin-selinux-4.14.3-19.el8.x86_64
selinux-policy-3.14.3-80.el8_5.2.noarch selinux-policy-devel-3.14.3-80.el8_5.2.noarch
selinux-policy-doc-3.14.3-80.el8_5.2.noarch selinux-policy-minimum-3.14.3-80.el8_5.2.noarch
selinux-policy-mls-3.14.3-80.el8_5.2.noarch selinux-policy-sandbox-3.14.3-80.el8_5.2.noarch
selinux-policy-targeted-3.14.3-80.el8_5.2.noarch
Complete!
[root@vps ~]# getenforce
Disabled
[root@vps ~]#
4.检查原添加自定义端口情况
[root@vps ~]# semanage port -l | grep ssh
ssh_port_t tcp 44422, 22
如以上无44422端口,执行以下命令重新添加
[root@vps ~]# semanage port -a -t ssh_port_t -p tcp 44422
5.修改selinux配置,disabled改为enforcing,如下
[root@vps ~]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
6.重启系统检查是否能够通过自定义端口登录
[root@vps ~]# reboot
[root@vps ~]# netstat -tnlup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:44422 0.0.0.0:* LISTEN 712/sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 712/sshd
tcp6 0 0 :::44422 :::* LISTEN 712/sshd
tcp6 0 0 :::22 :::* LISTEN 712/sshd
[root@vps ~]#