Finally Working configuration after copying from Mint VM lacking GUI in Fedora. User login in Mate desktop Password protected SSH key for remote-root in ~/.ssh Key loaded into SSHagent with ssh-add Succesful root login on remote without password. But only with setenforce 0. After fixing some SELinux errors I went into the situation that the VPN only works with setenforce 0 but without AVC messages. Reproducible: Always Steps to Reproduce: 1.nmcli con up SSHvpn 2. 3. Actual Results: LANG=C nmcli con up sshvpn Error: Connection activation failed: Unknown reason Hint: use 'journalctl -xe NM_CONNECTION=19f3ce27-6244-4c43-9a7d-662697e7ca46 + NM_DEVICE=bridge0' to get more details. Expected Results: LANG=C nmcli con up sshvpn Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/54) One of the problems is access from NetworkManager to /run/user/1000/keyring/ssh where the agent lives, but there are more only visible after "semodule -DB" I classify it as low, workaround is Wireguard, which is if firewall permits more easy to setup and works with SELinux enabled.
Created attachment 2050823 [details] SELinux problems seen after semodule -DB and enforce=0
Interesting. Creating a SELinux module using the attached file creates a working system.
G'day. I'm attaching a .te selinux file that should be sufficient for running NetworkManager-ssh - it works for me in all 3 authentication modes (ssh-agent, key, password). I'm still unsure how I should incorporate that selinux policy, so if you (H. Janssen) can assist with that, it'd be great.
Created attachment 2078313 [details] Selinux policy Selinux policy, tested with all 3 modes of authentication
With this attachment 2078313 [details] installed into SELinux, plus another AVC: #============= NetworkManager_ssh_t ============== allow NetworkManager_ssh_t config_home_t:file { getattr open read }; allow NetworkManager_ssh_t self:capability dac_override; allow NetworkManager_ssh_t ssh_exec_t:file execute_no_trans; allow NetworkManager_ssh_t user_tmp_t:sock_file getattr; And taking care that the nm-connection-editor entered FQDN was in knownhosts instead of the shortname, it works in F42->F42 Thanks!
I've added the extra config_home_t entry to the policy. As per now, I'll package the policy together with the package. However, I saw there are new guidelines for Fedora module packaging which I don't really understand, but I'll adapt to them once I understand what is required. I'll push the fix for f41, f42 and rawhide.
FEDORA-2025-a20972b2b8 (NetworkManager-ssh-1.2.14-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-a20972b2b8
FEDORA-2025-2d1d86ba58 (NetworkManager-ssh-1.2.14-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-2d1d86ba58
Version 1.2.14-1 should take care of that. The selinux policy was also pushed upstream (github).
It works fine now, both F41 and F42 in both directions. Concerning packaging of SELinux, I've no experience. I only see packages like for mysql: rpm -q --queryformat '[%{FILENAMES} %{FILEFLAGS:fflags}\n]' mysql-selinux /usr/share/licenses/mysql-selinux /usr/share/licenses/mysql-selinux/COPYING l /usr/share/selinux/packages/targeted/mysql.pp.bz2 /var/lib/selinux/targeted/active/modules/200/mysql g This means the only relevant file is /usr/share/selinux/packages/targeted/mysql.pp.bz2m, the 200/mysql is a ghost. The pp file could be generated with: (selinux-policy-devel package) #cp NetworkManager-ssh.te nm-ssh-service.te #make -f /usr/share/selinux/devel/Makefile nm-ssh-service.pp Compiling targeted nm-ssh-service module Creating targeted nm-ssh-service.pp policy package rm tmp/nm-ssh-service.mod tmp/nm-ssh-service.mod.fc There are two instances of the word "mysql" in the embedded scripts, so may be 2 changes do the job.... You could give it a try...
I think I'm on top of things creating the selinux policy. My main question is... Should I make NetworkManager-ssh depend on NetworkManager-ssh-selinux? According to https://fedoraproject.org/wiki/SELinuxModularityPackagingGuidance - I should be creating a module profile, which I'm not sure how to. At the moment,it is packaged in the same package (at NetworkManager-ssh).
Alright, versio 1.2.14-2 will have a NetworkManager-selinux package. NetworkManager-ssh package will require it (like in the provided example). I've tested it on f41 and looks good. I'll push it for f41, f42 and already pushed for rawhide.
Now I start understanding why I could not get it running on 42. Knowing that it should work with the attached policy, I tried by hand. Failure without SELinux notification. Now I learned that there are policies which are not audited. After "semodule -DB", I was flooded with notifications and it took three iterations before it connected, and still AVC's popping up. So there should be definitively a NetworkManager-ssh-selinux package installed together with NetworkManager-ssh, otherwise a normal user gets totally confused. I must admit I do not understand the concept of SELinux violations without notice which are fatal, e.g. In this case, access to ssh-agent was blocked without notice.
FEDORA-2025-78315ed8c6 (NetworkManager-ssh-1.2.14-2.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-78315ed8c6
FEDORA-2025-94e668b303 (NetworkManager-ssh-1.2.14-2.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-94e668b303
> SELinux violations without notice which are fatal, > e.g. In this case, access to ssh-agent was blocked without notice. Had something similar when I was debugging that too. But "semodule -DB" did give me those blocks... Either way, I hope the attached policy will fix stuff for the time being!
FEDORA-2025-78315ed8c6 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-78315ed8c6` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-78315ed8c6 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-94e668b303 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-94e668b303` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-94e668b303 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
From the F42 updates-testing, I'm confident that this bug can be marked as solved: rpm -e --nodeps NetworkManager-ssh-selinux: immediate failure upon connection. dnf reinstall NetworkManager-ssh-selinux: Connection
FEDORA-2025-78315ed8c6 (NetworkManager-ssh-1.2.14-2.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-94e668b303 (NetworkManager-ssh-1.2.14-2.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.
*** Bug 2346352 has been marked as a duplicate of this bug. ***