I ran into an interesting problem today when an az ssh vm command was giving a denied public key on a RHEL 8.9 VM in Azure. I verified the correct IAM permission was setup to allow login, so it wasn’t that. Time to jump onto the vm via regular ole ssh.
I started poking around in the logs and saw this error
libsemanage.semanage_direct_get_module_info: Unable to open aad_permissions module lang ext file at /var/lib/selinux/targeted/tmp/modules/400/aad_permissions/lang_ext. (No such file or directory).
aad_permissions told me it had to do something with the AAD login for Linux. I navigated to the aad aah login package directory in /var/lib/waagent/… and reviewed the installer.sh. I saw it installs both these packages:
aadsshlogin-selinux
aadsshlogin
Running the command semodule -l to see if those modules were installed instantly blew up returning the lang_ext error from above. At this point, something with selinux hosed my custom selinux modules. I thought, ok, let me just uninstall and reinstall the aadsshloginforlinux extension. Uninstall worked, but the install blew up, again, with the same error above.
I figured I need to reinitialize selinux modules. I did that by doing the following:
mv /var/lib/selinux/targeted /var/lib/selinux/targeted.bkup
rm -rf /etc/selinux/tmp
yum reinstall selinux-policy-targetedThis will recreate the targeted folder. I then reinstalled the aadsshlogin packages
yum reinstall aadsshlogin-selinux.x86_64
yum reinstall aadsshlogin.x86_64 then ./installer.sh install installed the extension successfully. I could of skipped the reinstall of the aadsshlogin packages, but I wanted to verify they installed successfully.
After that, I was then able to log back in and verify /var/lib/selinux/targeted/tmp/modules/400/aad_permissions/lang_ext exists and can successfully az ssh vm in.
Now, what corrupted selinux? I have no idea and that will be an investigation for tomorrow.
Cheers!
Azure Testing Site 