Description of problem: Trying to connect to SSH Tunnel using GNOME Network Manager SSH plugin. SELinux is preventing sh from 'execute_no_trans' accesses on the file /usr/bin/kmod. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sh should be allowed execute_no_trans access on the kmod file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sh' --raw | audit2allow -M my-sh # semodule -X 300 -i my-sh.pp Additional Information: Source Context system_u:system_r:NetworkManager_ssh_t:s0 Target Context system_u:object_r:insmod_exec_t:s0 Target Objects /usr/bin/kmod [ file ] Source sh Source Path sh Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages kmod-25-2.fc28.x86_64 Policy RPM selinux-policy-3.14.1-21.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.16.3-300.fc28.x86_64 #1 SMP Thu Apr 19 19:04:56 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-04-26 01:40:57 EET Last Seen 2018-04-26 01:40:57 EET Local ID 076102d1-79e7-4127-af35-aedfa7594773 Raw Audit Messages type=AVC msg=audit(1524699657.122:688): avc: denied { execute_no_trans } for pid=28467 comm="sh" path="/usr/bin/kmod" dev="sda2" ino=2259018 scontext=system_u:system_r:NetworkManager_ssh_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file permissive=0 Hash: sh,NetworkManager_ssh_t,insmod_exec_t,file,execute_no_trans Version-Release number of selected component: selinux-policy-3.14.1-21.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.5-300.fc28.x86_64 type: libreport
*** Bug 1574157 has been marked as a duplicate of this bug. ***
*** Bug 1574158 has been marked as a duplicate of this bug. ***
*** Bug 1574159 has been marked as a duplicate of this bug. ***
*** Bug 1574160 has been marked as a duplicate of this bug. ***
*** Bug 1574168 has been marked as a duplicate of this bug. ***
*** Bug 1574176 has been marked as a duplicate of this bug. ***
*** Bug 1574180 has been marked as a duplicate of this bug. ***
Hi Jiri, Could we collect here all SELinux denials related to blocking connection to SSH Tunnel using GNOME Network Manager SSH plugin. THanks, Lukas.
This is what I get while trying to use SSH Tunnel via NM: Udělejte prozatím tento přístup povolíte příkazy: # ausearch -c 'nm-ssh-service' --raw | audit2allow -M my-nmsshservice # semodule -X 300 -i my-nmsshservice.pp Doplňující informace: Kontext zdroje system_u:system_r:NetworkManager_ssh_t:s0 Kontext cíle system_u:object_r:system_dbusd_var_run_t:s0 Objekty cíle system_bus_socket [ sock_file ] Zdroj nm-ssh-service Cesta zdroje nm-ssh-service Port <Unknown> Počítač xps13-jeischma RPM balíčky zdroje RPM balíčky cíle RPM politiky selinux-policy-3.14.1-25.fc28.noarch Selinux povolen True Typ politiky targeted Vynucovací režim Enforcing Název počítače xps13-jeischma Platforma Linux xps13-jeischma 4.16.11-300.fc28.x86_64 #1 SMP Tue May 22 18:29:09 UTC 2018 x86_64 x86_64 Počet upozornění 1 Poprvé viděno 2018-05-28 15:27:44 CEST Naposledy viděno 2018-05-28 15:27:44 CEST Místní ID 0d16ad86-c3be-469a-a584-cf7c1d609d37 Původní zprávy auditu type=AVC msg=audit(1527514064.334:416): avc: denied { write } for pid=15028 comm="nm-ssh-service" name="system_bus_socket" dev="tmpfs" ino=27037 scontext=system_u:system_r:NetworkManager_ssh_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0 Hash: nm-ssh-service,NetworkManager_ssh_t,system_dbusd_var_run_t,sock_file,write I'm not sure I'm the right person to debug this. I have no previous experience with this plugin and neither me not anyone on my team maintains GNOME Network Manager.
I fixed SELinux denials, from your report. Will close it for now. Feel free to re-open if you still have some troubles with networkdmanager_ssh_t
selinux-policy-3.14.1-32.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-743a9247de
selinux-policy-3.14.1-32.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-743a9247de
selinux-policy-3.14.1-32.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.