Bug 1335149
| Summary: | systemctl --all --failed | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | ashutoshbhakare <unnatisales123> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 24 | CC: | dominick.grift, dwalsh, jjelen, lvrabec, mattias.ellert, mgrepl, plautrba, tmraz | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.13.1-187.fc24 selinux-policy-3.13.1-189.fc24 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-05-28 18:34:20 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Can you provide more information how you "used Fedora-Cloud-Base-24_Beta"? And logs from systemd why this service didn't start properly? Also with kernel/systemd debug switch should tell us more about the problem. (In reply to Jakub Jelen from comment #1) > Can you provide more information how you "used Fedora-Cloud-Base-24_Beta"? > And logs from systemd why this service didn't start properly? Also with > kernel/systemd debug switch should tell us more about the problem. ● sshd-keygen - OpenSSH ecdsa Server Key Generation Loaded: loaded (/usr/lib/systemd/system/sshd-keygen@.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-05-11 17:43:51 UTC; 15h ago Process: 864 ExecStart=/usr/libexec/openssh/sshd-keygen %i (code=exited, status=1/FAILURE) Main PID: 864 (code=exited, status=1/FAILURE) May 11 17:43:50 testday.novalocal systemd[1]: Starting OpenSSH ecdsa Server Key Generation... May 11 17:43:51 testday.novalocal systemd[1]: sshd-keygen: Main process exited, code=exited, status=1/FAILURE May 11 17:43:51 testday.novalocal systemd[1]: Failed to start OpenSSH ecdsa Server Key Generation. May 11 17:43:51 testday.novalocal systemd[1]: sshd-keygen: Unit entered failed state. May 11 17:43:51 testday.novalocal systemd[1]: sshd-keygen: Failed with result 'exit-code'. sshd-keygen fails with exit status=1 when ssh-keygen fails:
# create new keys
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
exit 1
fi
Do you see some SELinux AVCs or in audit? How do the labels on keys look like?
ls -lZ /etc/ssh/ssh_host_*
It might be also the problem with labels on /usr/libexec/openssh/sshd-keygen there is bin_t but should be sshd_keygen_exec_t (that should have been handled earlier too).
But I am wondering why it does happen only for ecdsa keys. It might be possible that even the rm fails earlier:
# remove old keys
rm -f $KEY{,.pub}
Can you reproduce it after changing context?
chcon -t sshd_keygen_exec_t /usr/libexec/openssh/sshd-keygen
We should certainly fix this one.
I would be really curious in what state is your system to do such things. Moving to SELinux policy. Lukas, we need probably the same SELinux context on /usr/libexec/openssh/sshd-keygen as it is currently on /usr/sbin/sshd-keygen This file will go away, but no earlier than in Fedora 25. selinux-policy-3.13.1-189.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-43d1395a18 selinux-policy-3.13.1-188.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-3ccd9afa2f selinux-policy-3.13.1-189.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1156130 [details] Snap of error Description of problem: sshd-keygen loaded in failed state Version-Release number of selected component (if applicable): Fedora 24 Beta How reproducible: Steps to Reproduce: 1.Used Fedora-Cloud-Base-24_Beta 2.Generated the key 3.Accessed using fedora user 4.systemctl --all --failed Actual results: ssshd-keygen failed Expected results: All services should start properly Additional info: