Bug 1971170 - sslh_t needs capability net_admin
Summary: sslh_t needs capability net_admin
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-12 16:26 UTC by Ralf Ertzinger
Modified: 2022-06-23 03:13 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-35.18-1.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-06-23 03:13:48 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1206 0 None open Allow sslh net_admin capability 2022-05-25 21:00:26 UTC

Description Ralf Ertzinger 2021-06-12 16:26:40 UTC
Description of problem:
sshl, when run in transparent proxy mode, needs CAP_NET_ADMIN to set IP_TRANSPARENT on the socket. The systemd service file already allows this capability, but right now it's denied by selinux:

type=AVC msg=audit(1623508461.430:33758): avc:  denied  { net_admin } for  pid=63924 comm="sslh" capability=12  scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:system_r:sslh_t:s0 tclass=capability permissive=0


Version-Release number of selected component (if applicable):
selinux-policy-targeted-34.7-1.fc34.noarch

How reproducible:
Always

Steps to Reproduce:
1. configure sslh for transparent proxying
2. attempt to use a transparent connection

results in
sslh[3867]: common.c:237:setsockopt: Operation not permitted

Generating a local policy with

allow sslh_t self:capability net_admin;

makes sslh work for transparent mode.

Comment 1 Ben Cotton 2022-05-12 16:50:01 UTC
This message is a reminder that Fedora Linux 34 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '34'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 34 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 2 Ralf Ertzinger 2022-05-13 09:16:25 UTC
F35 still does not contain the right permissions in selinux:

$ sesearch --allow -s sslh_t -t sslh_t -c capability
allow sslh_t sslh_t:capability { net_bind_service setgid setuid };

Comment 3 Zdenek Pytela 2022-05-13 17:07:11 UTC
Ralf,

Would you mind collect the denial with full auditing enabled?

1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run your scenario.
6) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Comment 4 Ralf Ertzinger 2022-05-13 20:06:48 UTC
I guess this is what you're looking for?

type=PROCTITLE msg=audit(05/13/2022 20:04:47.514:792388) : proctitle=/usr/sbin/sslh -F/etc/sslh.cfg 
type=SYSCALL msg=audit(05/13/2022 20:04:47.514:792388) : arch=x86_64 syscall=setsockopt success=no exit=EPERM(Operation not permitted) a0=0x3 a1=ip a2=IP_TRANSPARENT a3=0x7fff1bd843bc items=0 ppid=4078558 pid=4079955 auid=unset uid=sslh gid=sslh euid=sslh suid=sslh fsuid=sslh egid=sslh sgid=sslh fsgid=sslh tty=(none) ses=unset comm=sslh exe=/usr/sbin/sslh subj=system_u:system_r:sslh_t:s0 key=(null) 
type=AVC msg=audit(05/13/2022 20:04:47.514:792388) : avc:  denied  { net_admin } for  pid=4079955 comm=sslh capability=net_admin  scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:system_r:sslh_t:s0 tclass=capability permissive=0 

I also had to recompile with -BD to get that.

Comment 5 Fedora Update System 2022-06-07 09:25:26 UTC
FEDORA-2022-9e53cb5027 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9e53cb5027

Comment 6 Fedora Update System 2022-06-08 01:20:17 UTC
FEDORA-2022-9e53cb5027 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-9e53cb5027`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9e53cb5027

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2022-06-23 03:13:48 UTC
FEDORA-2022-9e53cb5027 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.