@Nikola, 
Do we solved the issue with NetworkManager and ssh tunneling? 

Thanks,
Lukas.

Experiencing the same on Fedora 32.

$ sudo rpm -qa *selinux*
freeipa-selinux-4.8.6-1.fc32.noarch
python3-libselinux-3.0-3.fc32.x86_64
libselinux-3.0-3.fc32.x86_64
tpm2-abrmd-selinux-2.3.1-1.fc32.noarch
container-selinux-2.132.0-1.fc32.noarch
selinux-policy-targeted-3.14.5-32.fc32.noarch
flatpak-selinux-1.6.3-1.fc32.noarch
libselinux-utils-3.0-3.fc32.x86_64
selinux-policy-3.14.5-32.fc32.noarch
rpm-plugin-selinux-4.15.1-2.fc32.1.x86_64

$ sudo rpm -qa NetworkManager{,-ssh}
NetworkManager-ssh-1.2.11-1.fc32.x86_64
NetworkManager-1.22.10-1.fc32.x86_64

Hi, sorry for late response, 

it is fixed. 

PR to Fedora: https://github.com/fedora-selinux/selinux-policy-contrib/pull/206

Thank you for the patch. I believe the fix is available in selinux-policy-3.14.5-37

* Wed Apr 29 2020 Zdenek Pytela <zpytela> - 3.14.5-37
- Update networkmanager_read_pid_files() to allow also list_dir_perms
- Update policy for NetworkManager_ssh_t
- Allow glusterd synchronize between master and slave
- Allow spamc_t domain to read network state
- Allow strongswan use tun/tap devices and keys
- Allow systemd_userdbd_t domain logging to journal


Although, I am still seeing AVCs. I'm running latest Fedora 32 with selinux-policy-3.14.5-39.fc32.noarch installed. Should I file a separate BZ or continue tracking on this one?

Jun 06 15:10:41 codfish NetworkManager[1224]: <info>  [1591449041.8705] audit: op="connection-activate" uuid="ef45afd9-db9c-4002-8bd5-94d172118dcd" name="shark SSH VPN" pid=35920 uid=1000 result="success"
Jun 06 15:10:41 codfish NetworkManager[1224]: <info>  [1591449041.8737] vpn-connection[0x557c98630740,ef45afd9-db9c-4002-8bd5-94d172118dcd,"shark SSH VPN",0]: Started the VPN service, PID 36077
Jun 06 15:10:41 codfish NetworkManager[1224]: <info>  [1591449041.8825] vpn-connection[0x557c98630740,ef45afd9-db9c-4002-8bd5-94d172118dcd,"shark SSH VPN",0]: Saw the service appear; activating connection
Jun 06 15:10:41 codfish NetworkManager[1224]: <info>  [1591449041.8893] vpn-connection[0x557c98630740,ef45afd9-db9c-4002-8bd5-94d172118dcd,"shark SSH VPN",0]: VPN connection: (ConnectInteractive) reply received
Jun 06 15:10:41 codfish nm-ssh-service[36077]: Error getting ssh-agent socket ownership: 14
Jun 06 15:10:41 codfish nm-ssh-service[36077]: Using root's .ssh/known_hosts
Jun 06 15:10:41 codfish audit[36084]: AVC avc:  denied  { execute_no_trans } for  pid=36084 comm="nm-ssh-service" path="/usr/bin/ssh" dev="dm-1" ino=1198473 scontext=system_u:system_r:NetworkManager_ssh_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=0
Jun 06 15:10:41 codfish NetworkManager[1224]: <warn>  [1591449041.8982] vpn-connection[0x557c98630740,ef45afd9-db9c-4002-8bd5-94d172118dcd,"shark SSH VPN",0]: VPN connection: failed to connect: 'Failed to spawn child process “/usr/bin/ssh” (Permission denied)'
Jun 06 15:10:41 codfish NetworkManager[1224]: <info>  [1591449041.8997] vpn-connection[0x557c98630740,ef45afd9-db9c-4002-8bd5-94d172118dcd,"shark SSH VPN",0]: VPN plugin: state changed: stopped (6)
Jun 06 15:10:44 codfish systemd[1]: Started dbus-:1.6-org.fedoraproject.Setroubleshootd.
Jun 06 15:10:44 codfish audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.6-org.fedoraproject.Setroubleshootd@2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun 06 15:10:45 codfish systemd[1]: Started dbus-:1.6-org.fedoraproject.SetroubleshootPrivileged.
Jun 06 15:10:45 codfish audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.6-org.fedoraproject.SetroubleshootPrivileged@2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun 06 15:10:46 codfish setroubleshoot[36085]: SELinux is preventing nm-ssh-service from execute_no_trans access on the file /usr/bin/ssh. For complete SELinux messages run: sealert -l 03c2c10f-9ef6-41fc-905a-03a3e30ae3d7
Jun 06 15:10:46 codfish python3[36085]: SELinux is preventing nm-ssh-service from execute_no_trans access on the file /usr/bin/ssh.
                                        
                                        *****  Plugin catchall (100. confidence) suggests   **************************
                                        
                                        If you believe that nm-ssh-service should be allowed execute_no_trans access on the ssh file by default.
                                        Then you should report this as a bug.
                                        You can generate a local policy module to allow this access.
                                        Do
                                        allow this access for now by executing:
                                        # ausearch -c 'nm-ssh-service' --raw | audit2allow -M my-nmsshservice
                                        # semodule -X 300 -i my-nmsshservice.pp

Carlos,

No need for another bugzilla. I'd like to ask you though to switch the system or the domain to permissive mode and collect all denials:

  # semanage permissive -a NetworkManager_ssh_t
<reproduce>
  # semanage permissive -d NetworkManager_ssh_t
  # ausearch -i -m avc,user_avc -ts recent

# semanage permissive -a NetworkManager_ssh_t
<reproduce>
# semanage permissive -d NetworkManager_ssh_t
libsemanage.semanage_direct_remove_key: Removing last permissive_NetworkManager_ssh_t module (no other permissive_NetworkManager_ssh_t module exists at another priority).
# ausearch -i -m avc,user_avc -ts recent
----
type=USER_AVC msg=audit(11/06/20 11:50:41.683:387) : pid=1118 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=2)  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=AVC msg=audit(11/06/20 11:51:03.036:395) : avc:  denied  { execute_no_trans } for  pid=8816 comm=nm-ssh-service path=/usr/bin/ssh dev="dm-1" ino=1198473 scontext=system_u:system_r:NetworkManager_ssh_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(11/06/20 11:51:03.039:396) : avc:  denied  { dac_override } for  pid=8816 comm=ssh capability=dac_override  scontext=system_u:system_r:NetworkManager_ssh_t:s0 tcontext=system_u:system_r:NetworkManager_ssh_t:s0 tclass=capability permissive=1 
----
type=AVC msg=audit(11/06/20 11:51:09.316:399) : avc:  denied  { read } for  pid=8816 comm=ssh name=id_rsa.pub dev="dm-1" ino=1053484 scontext=system_u:system_r:NetworkManager_ssh_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(11/06/20 11:51:09.316:400) : avc:  denied  { open } for  pid=8816 comm=ssh path=/home/cgoncalves/.ssh/id_rsa.pub dev="dm-1" ino=1053484 scontext=system_u:system_r:NetworkManager_ssh_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1 
----
type=USER_AVC msg=audit(11/06/20 11:52:05.679:405) : pid=1118 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=3)  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?'

AVCs with authentication type set to password:


type=USER_AVC msg=audit(11/06/20 11:57:41.682:450) : pid=1118 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=6)  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=AVC msg=audit(11/06/20 11:57:51.566:451) : avc:  denied  { read write } for  pid=9339 comm=sshpass name=ptmx dev="devtmpfs" ino=2059 scontext=system_u:system_r:NetworkManager_ssh_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file permissive=1 
----
type=AVC msg=audit(11/06/20 11:57:51.566:452) : avc:  denied  { open } for  pid=9339 comm=sshpass path=/dev/ptmx dev="devtmpfs" ino=2059 scontext=system_u:system_r:NetworkManager_ssh_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file permissive=1 
----
type=AVC msg=audit(11/06/20 11:57:51.566:453) : avc:  denied  { ioctl } for  pid=9339 comm=sshpass path=/dev/ptmx dev="devtmpfs" ino=2059 ioctlcmd=TCGETS scontext=system_u:system_r:NetworkManager_ssh_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file permissive=1 
----
type=AVC msg=audit(11/06/20 11:57:51.566:454) : avc:  denied  { getattr } for  pid=9339 comm=sshpass path=/dev/pts/1 dev="devpts" ino=4 scontext=system_u:system_r:NetworkManager_ssh_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=1 
----
type=AVC msg=audit(11/06/20 11:57:51.566:455) : avc:  denied  { read write } for  pid=9339 comm=sshpass name=1 dev="devpts" ino=4 scontext=system_u:system_r:NetworkManager_ssh_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=1 
----
type=AVC msg=audit(11/06/20 11:57:51.566:456) : avc:  denied  { open } for  pid=9339 comm=sshpass path=/dev/pts/1 dev="devpts" ino=4 scontext=system_u:system_r:NetworkManager_ssh_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=1 
----
type=AVC msg=audit(11/06/20 11:57:51.566:457) : avc:  denied  { execute_no_trans } for  pid=9340 comm=sshpass path=/usr/bin/ssh dev="dm-1" ino=1198473 scontext=system_u:system_r:NetworkManager_ssh_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1

This message is a reminder that Fedora 32 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '32'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 32 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Fedora 32 changed to end-of-life (EOL) status on 2021-05-25. Fedora 32 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

I am seeing the same issue on Fedora 42 with NetworkManager-SSH installed and GNOME Control Center's "SSH" VPN set to create a SOCKS proxy (-D option in the advanced settings dialog) without creating a full tunnel ("No tunnel" option) and a custom gateway port instead of the default port 22.

It happens whether I use 9999 or 22222 as the custom SSH gateway port to connect to.
In that case, the GUI fails without clear details, the only indication the user gets is when monitoring `journalctl -f`:


```
nm-ssh-service[1422817]: debug1: Connecting to the_test_server [some_IP_address] port 9999.

audit[1422823]: AVC avc:  denied  { name_connect } for  pid=1422823 comm="ssh" dest=9999 scontext=system_u:system_r:NetworkManager_ssh_t:s0 tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket permissive=0

nm-ssh-service[1422817]: debug1: connect to address some_IP_address port 9999: Permission denied
nm-ssh-service[1422817]: ssh: connect to host the_test_server.com port 9999: Permission denied
nm-ssh-service[1422817]: ssh exited with error code 255
NetworkManager[1508]: <warn>  [1747000762.1773] vpn[0x55aee09934b0,4a055204-9b0b-4a9b-9395-a33a94522636,"Tunnel test"]: dbus: failure: connect-failed (1)
NetworkManager[1508]: <warn>  [1747000762.1775] vpn[0x55aee09934b0,4a055204-9b0b-4a9b-9395-a33a94522636,"Tunnel test"]: dbus: failure: connect-failed (1)
```