Bug 1335149 - systemctl --all --failed
Summary: systemctl --all --failed
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 24
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-11 12:35 UTC by ashutoshbhakare
Modified: 2016-05-28 18:34 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-187.fc24 selinux-policy-3.13.1-189.fc24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-28 18:34:20 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Snap of error (78.46 KB, image/png)
2016-05-11 12:35 UTC, ashutoshbhakare
no flags Details

Description ashutoshbhakare 2016-05-11 12:35:38 UTC
Created attachment 1156130 [details]
Snap of error

Description of problem:
sshd-keygen@ecdsa.service loaded in failed state


Version-Release number of selected component (if applicable): Fedora 24 Beta


How reproducible:



Steps to Reproduce:
1.Used Fedora-Cloud-Base-24_Beta
2.Generated the key 
3.Accessed using fedora user 
4.systemctl --all --failed

Actual results:
ssshd-keygen@ecdsa.service failed 



Expected results:
All services should start properly

Additional info:

Comment 1 Jakub Jelen 2016-05-11 12:43:08 UTC
Can you provide more information how you "used Fedora-Cloud-Base-24_Beta"? And logs from systemd why this service didn't start properly? Also with kernel/systemd debug switch should tell us more about the problem.

Comment 2 ashutoshbhakare 2016-05-12 04:07:51 UTC
(In reply to Jakub Jelen from comment #1)
> Can you provide more information how you "used Fedora-Cloud-Base-24_Beta"?
> And logs from systemd why this service didn't start properly? Also with
> kernel/systemd debug switch should tell us more about the problem.sshd-keygen@ecdsa.service - OpenSSH ecdsa Server Key Generation
   Loaded: loaded (/usr/lib/systemd/system/sshd-keygen@.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2016-05-11 17:43:51 UTC; 15h ago
  Process: 864 ExecStart=/usr/libexec/openssh/sshd-keygen %i (code=exited, status=1/FAILURE)
 Main PID: 864 (code=exited, status=1/FAILURE)

May 11 17:43:50 testday.novalocal systemd[1]: Starting OpenSSH ecdsa Server Key Generation...
May 11 17:43:51 testday.novalocal systemd[1]: sshd-keygen@ecdsa.service: Main process exited, code=exited, status=1/FAILURE
May 11 17:43:51 testday.novalocal systemd[1]: Failed to start OpenSSH ecdsa Server Key Generation.
May 11 17:43:51 testday.novalocal systemd[1]: sshd-keygen@ecdsa.service: Unit entered failed state.
May 11 17:43:51 testday.novalocal systemd[1]: sshd-keygen@ecdsa.service: Failed with result 'exit-code'.

Comment 3 Jakub Jelen 2016-05-12 10:58:06 UTC
sshd-keygen fails with exit status=1 when ssh-keygen fails:

    # create new keys
    if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
        exit 1
    fi

Do you see some SELinux AVCs or in audit? How do the labels on keys look like?

    ls -lZ /etc/ssh/ssh_host_*

It might be also the problem with labels on  /usr/libexec/openssh/sshd-keygen  there is  bin_t  but should be   sshd_keygen_exec_t  (that should have been handled earlier too).

But I am wondering why it does happen only for ecdsa keys. It might be possible that even the rm fails earlier:

    # remove old keys
    rm -f $KEY{,.pub}

Can you reproduce it after changing context?

    chcon -t sshd_keygen_exec_t /usr/libexec/openssh/sshd-keygen

We should certainly fix this one.

Comment 4 Jakub Jelen 2016-05-16 15:16:07 UTC
I would be really curious in what state is your system to do such things.

Moving to SELinux policy. Lukas, we need probably the same SELinux context on 

  /usr/libexec/openssh/sshd-keygen

as it is currently on

  /usr/sbin/sshd-keygen

This file will go away, but no earlier than in Fedora 25.

Comment 5 Fedora Update System 2016-05-26 05:02:01 UTC
selinux-policy-3.13.1-189.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-43d1395a18

Comment 6 Fedora Update System 2016-05-26 05:03:01 UTC
selinux-policy-3.13.1-188.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-3ccd9afa2f

Comment 7 Fedora Update System 2016-05-28 18:33:55 UTC
selinux-policy-3.13.1-189.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.