Description of problem: sshl, when run in transparent proxy mode, needs CAP_NET_ADMIN to set IP_TRANSPARENT on the socket. The systemd service file already allows this capability, but right now it's denied by selinux: type=AVC msg=audit(1623508461.430:33758): avc: denied { net_admin } for pid=63924 comm="sslh" capability=12 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:system_r:sslh_t:s0 tclass=capability permissive=0 Version-Release number of selected component (if applicable): selinux-policy-targeted-34.7-1.fc34.noarch How reproducible: Always Steps to Reproduce: 1. configure sslh for transparent proxying 2. attempt to use a transparent connection results in sslh[3867]: common.c:237:setsockopt: Operation not permitted Generating a local policy with allow sslh_t self:capability net_admin; makes sslh work for transparent mode.
This message is a reminder that Fedora Linux 34 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '34'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 34 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
F35 still does not contain the right permissions in selinux: $ sesearch --allow -s sslh_t -t sslh_t -c capability allow sslh_t sslh_t:capability { net_bind_service setgid setuid };
Ralf, Would you mind collect the denial with full auditing enabled? 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
I guess this is what you're looking for? type=PROCTITLE msg=audit(05/13/2022 20:04:47.514:792388) : proctitle=/usr/sbin/sslh -F/etc/sslh.cfg type=SYSCALL msg=audit(05/13/2022 20:04:47.514:792388) : arch=x86_64 syscall=setsockopt success=no exit=EPERM(Operation not permitted) a0=0x3 a1=ip a2=IP_TRANSPARENT a3=0x7fff1bd843bc items=0 ppid=4078558 pid=4079955 auid=unset uid=sslh gid=sslh euid=sslh suid=sslh fsuid=sslh egid=sslh sgid=sslh fsgid=sslh tty=(none) ses=unset comm=sslh exe=/usr/sbin/sslh subj=system_u:system_r:sslh_t:s0 key=(null) type=AVC msg=audit(05/13/2022 20:04:47.514:792388) : avc: denied { net_admin } for pid=4079955 comm=sslh capability=net_admin scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:system_r:sslh_t:s0 tclass=capability permissive=0 I also had to recompile with -BD to get that.
FEDORA-2022-9e53cb5027 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9e53cb5027
FEDORA-2022-9e53cb5027 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-9e53cb5027` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9e53cb5027 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-9e53cb5027 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.