Bug 2316915
| Summary: | Networkmanager SSH vpn works only with SELinux disabled | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | H.Janssen <hmmsjan> | ||||||
| Component: | NetworkManager-ssh | Assignee: | Dan Fruehauf <malkodan> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | low | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 41 | CC: | echevemaster, malkodan, oliveriandrea | ||||||
| Target Milestone: | --- | Keywords: | Desktop | ||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | NetworkManager-ssh-1.2.14-2.fc41 NetworkManager-ssh-1.2.14-2.fc42 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2025-03-11 01:33:54 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
H.Janssen
2024-10-07 08:42:07 UTC
Created attachment 2050823 [details]
SELinux problems seen after semodule -DB and enforce=0
Interesting. Creating a SELinux module using the attached file creates a working system. G'day. I'm attaching a .te selinux file that should be sufficient for running NetworkManager-ssh - it works for me in all 3 authentication modes (ssh-agent, key, password). I'm still unsure how I should incorporate that selinux policy, so if you (H. Janssen) can assist with that, it'd be great. Created attachment 2078313 [details]
Selinux policy
Selinux policy, tested with all 3 modes of authentication
With this attachment 2078313 [details] installed into SELinux, plus another AVC:
#============= NetworkManager_ssh_t ==============
allow NetworkManager_ssh_t config_home_t:file { getattr open read };
allow NetworkManager_ssh_t self:capability dac_override;
allow NetworkManager_ssh_t ssh_exec_t:file execute_no_trans;
allow NetworkManager_ssh_t user_tmp_t:sock_file getattr;
And taking care that the nm-connection-editor entered FQDN was in knownhosts instead of the shortname, it works in F42->F42
Thanks!
I've added the extra config_home_t entry to the policy. As per now, I'll package the policy together with the package. However, I saw there are new guidelines for Fedora module packaging which I don't really understand, but I'll adapt to them once I understand what is required. I'll push the fix for f41, f42 and rawhide. FEDORA-2025-a20972b2b8 (NetworkManager-ssh-1.2.14-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-a20972b2b8 FEDORA-2025-2d1d86ba58 (NetworkManager-ssh-1.2.14-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-2d1d86ba58 Version 1.2.14-1 should take care of that. The selinux policy was also pushed upstream (github). It works fine now, both F41 and F42 in both directions.
Concerning packaging of SELinux, I've no experience. I only see packages like for mysql:
rpm -q --queryformat '[%{FILENAMES} %{FILEFLAGS:fflags}\n]' mysql-selinux
/usr/share/licenses/mysql-selinux
/usr/share/licenses/mysql-selinux/COPYING l
/usr/share/selinux/packages/targeted/mysql.pp.bz2
/var/lib/selinux/targeted/active/modules/200/mysql g
This means the only relevant file is /usr/share/selinux/packages/targeted/mysql.pp.bz2m,
the 200/mysql is a ghost.
The pp file could be generated with: (selinux-policy-devel package)
#cp NetworkManager-ssh.te nm-ssh-service.te
#make -f /usr/share/selinux/devel/Makefile nm-ssh-service.pp
Compiling targeted nm-ssh-service module
Creating targeted nm-ssh-service.pp policy package
rm tmp/nm-ssh-service.mod tmp/nm-ssh-service.mod.fc
There are two instances of the word "mysql" in the embedded scripts, so may be 2 changes do the job....
You could give it a try...
I think I'm on top of things creating the selinux policy. My main question is... Should I make NetworkManager-ssh depend on NetworkManager-ssh-selinux? According to https://fedoraproject.org/wiki/SELinuxModularityPackagingGuidance - I should be creating a module profile, which I'm not sure how to. At the moment,it is packaged in the same package (at NetworkManager-ssh). Alright, versio 1.2.14-2 will have a NetworkManager-selinux package. NetworkManager-ssh package will require it (like in the provided example). I've tested it on f41 and looks good. I'll push it for f41, f42 and already pushed for rawhide. Now I start understanding why I could not get it running on 42. Knowing that it should work with the attached policy, I tried by hand. Failure without SELinux notification. Now I learned that there are policies which are not audited. After "semodule -DB", I was flooded with notifications and it took three iterations before it connected, and still AVC's popping up. So there should be definitively a NetworkManager-ssh-selinux package installed together with NetworkManager-ssh, otherwise a normal user gets totally confused. I must admit I do not understand the concept of SELinux violations without notice which are fatal, e.g. In this case, access to ssh-agent was blocked without notice. FEDORA-2025-78315ed8c6 (NetworkManager-ssh-1.2.14-2.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-78315ed8c6 FEDORA-2025-94e668b303 (NetworkManager-ssh-1.2.14-2.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-94e668b303 > SELinux violations without notice which are fatal,
> e.g. In this case, access to ssh-agent was blocked without notice.
Had something similar when I was debugging that too. But "semodule -DB" did give me those blocks...
Either way, I hope the attached policy will fix stuff for the time being!
FEDORA-2025-78315ed8c6 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-78315ed8c6` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-78315ed8c6 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-94e668b303 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-94e668b303` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-94e668b303 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. From the F42 updates-testing, I'm confident that this bug can be marked as solved: rpm -e --nodeps NetworkManager-ssh-selinux: immediate failure upon connection. dnf reinstall NetworkManager-ssh-selinux: Connection FEDORA-2025-78315ed8c6 (NetworkManager-ssh-1.2.14-2.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2025-94e668b303 (NetworkManager-ssh-1.2.14-2.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report. *** Bug 2346352 has been marked as a duplicate of this bug. *** |