Description of problem: Connect to SSH VPN from the gnome menu for the first time after upgrade to rawhide. SELinux is preventing ssh from 'append' accesses on the file known_hosts. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ssh should be allowed append access on the known_hosts file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ssh' --raw | audit2allow -M my-ssh # semodule -X 300 -i my-ssh.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context unconfined_u:object_r:ssh_home_t:s0 Target Objects known_hosts [ file ] Source ssh Source Path ssh Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-6.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.16.0-0.rc5.git3.1.fc29.x86_64 #1 SMP Fri Mar 16 15:28:11 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-03-20 08:40:52 GMT Last Seen 2018-03-20 08:40:52 GMT Local ID 6476ff9d-62f4-486f-a930-b5868bcc761e Raw Audit Messages type=AVC msg=audit(1521535252.181:255): avc: denied { append } for pid=2835 comm="ssh" name="known_hosts" dev="dm-0" ino=15204532 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=file permissive=1 Hash: ssh,NetworkManager_t,ssh_home_t,file,append Version-Release number of selected component: selinux-policy-3.14.2-6.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc5.git3.1.fc29.x86_64 type: libreport Potential duplicate: bug 1360407
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'.
selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726
selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.