Bug 1761071 - SELinux is preventing NetworkManager VPN via SSH wrorking
Summary: SELinux is preventing NetworkManager VPN via SSH wrorking
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: Unspecified
OS: Linux
medium
high
Target Milestone: ---
Assignee: Nikola Knazekova
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1813096 1813097 1813098 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-12 09:33 UTC by Andrea
Modified: 2020-06-26 15:45 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.14.4-52.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-05 02:39:55 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
journalctl arount the failed attempt. (2.36 KB, text/plain)
2019-10-12 09:33 UTC, Andrea
no flags Details
Log with setenforce 0 (16.89 KB, text/plain)
2019-10-12 09:36 UTC, Andrea
no flags Details

Description Andrea 2019-10-12 09:33:44 UTC
Created attachment 1624944 [details]
journalctl arount the failed attempt.

Description of problem:

VPN via NetworkManager-ssh do not work due to a selinux denial error.

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-46.fc30.noarch

NetworkManager-ssh-gnome-1.2.10-1.fc30.x86_64
NetworkManager-openconnect-gnome-1.2.6-2.fc30.x86_64
NetworkManager-wifi-1.16.4-1.fc30.x86_64
NetworkManager-ssh-1.2.10-1.fc30.x86_64
NetworkManager-config-connectivity-fedora-1.16.4-1.fc30.noarch
NetworkManager-openvpn-gnome-1.8.10-1.fc30.x86_64
NetworkManager-1.16.4-1.fc30.x86_64
NetworkManager-pptp-1.2.8-1.fc30.1.x86_64
NetworkManager-openconnect-1.2.6-2.fc30.x86_64
NetworkManager-vpnc-1.2.6-2.fc30.x86_64
NetworkManager-libnm-1.16.4-1.fc30.x86_64
NetworkManager-pptp-gnome-1.2.8-1.fc30.1.x86_64
NetworkManager-openvpn-1.8.10-1.fc30.x86_64
NetworkManager-ppp-1.16.4-1.fc30.x86_64
NetworkManager-vpnc-gnome-1.2.6-2.fc30.x86_64
NetworkManager-adsl-1.16.4-1.fc30.x86_64
NetworkManager-team-1.16.4-1.fc30.x86_64


How reproducible:

Always

Steps to Reproduce:
1.Create a NetworkManager VPN via SSH
2.Start it

Actual results:

VPN does not connect

Expected results:

VPN connect

Additional info:

sudo setenforce 0
and it works.

Comment 1 Andrea 2019-10-12 09:36:47 UTC
Created attachment 1624945 [details]
Log with setenforce 0

Comment 2 Zdenek Pytela 2020-03-17 14:30:05 UTC
*** Bug 1813097 has been marked as a duplicate of this bug. ***

Comment 3 Knut J BJuland 2020-04-17 05:44:59 UTC
This also applies to Fedora 31.

Comment 4 Knut J BJuland 2020-04-17 05:46:27 UTC
Comment on attachment 1624945 [details]
Log with setenforce 0

ssh -vv knutjb.1.205
OpenSSH_8.1p1, OpenSSL 1.1.1d FIPS  10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug2: checking match for 'final all' host 192.168.1.205 originally 192.168.1.205
debug2: match not found
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug2: resolve_canonicalize: hostname 192.168.1.205 is address
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug2: checking match for 'final all' host 192.168.1.205 originally 192.168.1.205
debug2: match found
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug2: ssh_connect_direct
debug1: Connecting to 192.168.1.205 [192.168.1.205] port 22.
debug1: Connection established.
debug1: identity file /home/knutjb/.ssh/id_rsa type 0
debug1: identity file /home/knutjb/.ssh/id_rsa-cert type -1
debug1: identity file /home/knutjb/.ssh/id_dsa type -1
debug1: identity file /home/knutjb/.ssh/id_dsa-cert type -1
debug1: identity file /home/knutjb/.ssh/id_ecdsa type 2
debug1: identity file /home/knutjb/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/knutjb/.ssh/id_ed25519 type -1
debug1: identity file /home/knutjb/.ssh/id_ed25519-cert type -1
debug1: identity file /home/knutjb/.ssh/id_xmss type -1
debug1: identity file /home/knutjb/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.1
debug1: match: OpenSSH_8.1 pat OpenSSH* compat 0x04000000
debug2: fd 5 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.205:22 as 'knutjb'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01,ecdsa-sha2-nistp384-cert-v01,ecdsa-sha2-nistp521-cert-v01,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01,rsa-sha2-512-cert-v01,rsa-sha2-256-cert-v01,ssh-rsa-cert-v01,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes256-gcm,chacha20-poly1305,aes256-ctr,aes256-cbc,aes128-gcm,aes128-ctr,aes128-cbc
debug2: ciphers stoc: aes256-gcm,chacha20-poly1305,aes256-ctr,aes256-cbc,aes128-gcm,aes128-ctr,aes128-cbc
debug2: MACs ctos: hmac-sha2-256-etm,hmac-sha1-etm,umac-128-etm,hmac-sha2-512-etm,hmac-sha2-256,hmac-sha1,umac-128,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm,hmac-sha1-etm,umac-128-etm,hmac-sha2-512-etm,hmac-sha2-256,hmac-sha1,umac-128,hmac-sha2-512
debug2: compression ctos: none,zlib,zlib
debug2: compression stoc: none,zlib,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes256-gcm,chacha20-poly1305,aes256-ctr,aes256-cbc,aes128-gcm,aes128-ctr,aes128-cbc
debug2: ciphers stoc: aes256-gcm,chacha20-poly1305,aes256-ctr,aes256-cbc,aes128-gcm,aes128-ctr,aes128-cbc
debug2: MACs ctos: hmac-sha2-256-etm,hmac-sha1-etm,umac-128-etm,hmac-sha2-512-etm,hmac-sha2-256,hmac-sha1,umac-128,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm,hmac-sha1-etm,umac-128-etm,hmac-sha2-512-etm,hmac-sha2-256,hmac-sha1,umac-128,hmac-sha2-512
debug2: compression ctos: none,zlib
debug2: compression stoc: none,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes256-gcm MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:EwHHFvEjIwvcd4kdqRB0EXPvQlWwYZ8dI0UiWx+9opY
debug1: Host '192.168.1.205' is known and matches the ECDSA host key.
debug1: Found key in /home/knutjb/.ssh/known_hosts:26
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/knutjb/.ssh/id_rsa RSA SHA256:qHI8eA+2ugiaCGyuGin8YqEB7NZkScQA0pssMeQ5Pt8 agent
debug1: Will attempt key: /home/knutjb/.ssh/id_ecdsa ECDSA SHA256:eneW3T8KVodz7KthoSZeRrjkIUGIz2Tp2FNIKlK9VX4 agent
debug1: Will attempt key: /home/knutjb/.ssh/id_dsa 
debug1: Will attempt key: /home/knutjb/.ssh/id_ed25519 
debug1: Will attempt key: /home/knutjb/.ssh/id_xmss 
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KCM:)


debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KCM:)


debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /home/knutjb/.ssh/id_rsa RSA SHA256:qHI8eA+2ugiaCGyuGin8YqEB7NZkScQA0pssMeQ5Pt8 agent
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: /home/knutjb/.ssh/id_rsa RSA SHA256:qHI8eA+2ugiaCGyuGin8YqEB7NZkScQA0pssMeQ5Pt8 agent
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.1.205 ([192.168.1.205]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00 want_reply 0
debug1: Remote: /home/knutjb/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/knutjb/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 5 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env XMODIFIERS = @im=none
debug2: channel 0: request env confirm 0
debug1: Sending env LC_MONETARY = en_GB.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending env LC_PAPER = en_GB.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending env LC_MEASUREMENT = en_GB.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending env LC_TIME = en_GB.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending env LC_NUMERIC = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 1
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Fri Apr 17 07:43:27 2020 from 192.168.1.205
knutjb@knut:~$ 

When selinux is disable

Comment 5 Lukas Vrabec 2020-04-20 17:03:26 UTC
commit 4253667b97bfa3fd0cb01774d022a72d3bedd6a2 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Nikola Knazekova <nknazeko>
Date:   Mon Apr 20 18:29:55 2020 +0200

    Update policy for NetworkManager_ssh_t
    
    corenet_rw_tun_tap_dev: Allow NetworkManager_ssh_t to read write tun_tap_device chr_files
    
    init_rw_stream_sockets:  Allow NetworkManager_ssh_t to read/write to init with a unix domain stream sockets.
    
    sysnet_domtrans_ifconfig: Allow NetworkManager_ssh_t to execute ifconfig in the ifconfig domain
    
    Fixed Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1761071

Backported to F32, F31.

Comment 6 Fedora Update System 2020-05-20 13:47:32 UTC
FEDORA-2020-6d33cc238c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c

Comment 7 Fedora Update System 2020-05-21 04:16:12 UTC
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6d33cc238c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2020-06-05 02:39:55 UTC
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Patrik Koncity 2020-06-26 15:42:41 UTC
*** Bug 1813096 has been marked as a duplicate of this bug. ***

Comment 10 Patrik Koncity 2020-06-26 15:45:39 UTC
*** Bug 1813098 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.