For a bit more context, here's a journal excerpt with some verbose OpenSSH logging mixed in:

Nov 12 21:57:44 fedora systemd[1]: Starting sshd@15-8199-3:22-2:1049463652.service - OpenSSH per-connection server daemon (vsock:2:1049463652)...
Nov 12 21:57:44 fedora systemd[1]: Started sshd@15-8199-3:22-2:1049463652.service - OpenSSH per-connection server daemon (vsock:2:1049463652).
Nov 12 21:57:44 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sshd@15-8199-3:22-2:1049463652 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 12 21:57:44 fedora sshd[6287]: debug1: rexec start in -1 out -1 newsock -1 config_s 6/7
Nov 12 21:57:44 fedora audit[6287]: AVC avc:  denied  { noatsecure } for  pid=6287 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 tclass=process permissive=0
Nov 12 21:57:44 fedora audit[6287]: AVC avc:  denied  { read write } for  pid=6287 comm="sshd-session" path="socket:[46503]" dev="sockfs" ino=46503 scontext=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
Nov 12 21:57:44 fedora audit[6287]: AVC avc:  denied  { rlimitinh } for  pid=6287 comm="sshd-session" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 tclass=process permissive=0
Nov 12 21:57:44 fedora audit[6287]: AVC avc:  denied  { siginh } for  pid=6287 comm="sshd-session" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 tclass=process permissive=0
Nov 12 21:57:44 fedora sshd-session[6287]: debug1: sshd-session version OpenSSH_10.0, OpenSSL 3.5.4 30 Sep 2025
Nov 12 21:57:44 fedora sshd-session[6287]: debug1: network sockets: 6, 7
Nov 12 21:57:44 fedora sshd-session[6287]: main: SHA1 in signatures is disabled for RSA keys
Nov 12 21:57:44 fedora sshd-session[6287]: Connection from UNKNOWN port 65535 on UNKNOWN port 65535
Nov 12 21:57:44 fedora sshd-session[6287]: debug1: Local version string SSH-2.0-OpenSSH_10.0
Nov 12 21:57:44 fedora sshd-session[6287]: debug1: Remote protocol version 2.0, remote software version OpenSSH_10.0
Nov 12 21:57:44 fedora sshd-session[6287]: debug1: compat_banner: match: OpenSSH_10.0 pat OpenSSH* compat 0x04000000
Nov 12 21:57:44 fedora audit[6290]: AVC avc:  denied  { noatsecure } for  pid=6290 comm="sshd-session" scontext=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_auth_t:s0-s0:c0.c1023 tclass=process permissive=1
Nov 12 21:57:44 fedora audit[6290]: AVC avc:  denied  { read write } for  pid=6290 comm="sshd-auth" path="socket:[46503]" dev="sockfs" ino=46503 scontext=system_u:system_r:sshd_auth_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
Nov 12 21:57:44 fedora audit[6290]: AVC avc:  denied  { rlimitinh } for  pid=6290 comm="sshd-auth" scontext=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_auth_t:s0-s0:c0.c1023 tclass=process permissive=1
Nov 12 21:57:44 fedora audit[6290]: AVC avc:  denied  { siginh } for  pid=6290 comm="sshd-auth" scontext=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_auth_t:s0-s0:c0.c1023 tclass=process permissive=1
Nov 12 21:57:44 fedora audit[6290]: AVC avc:  denied  { getattr } for  pid=6290 comm="sshd-auth" scontext=system_u:system_r:sshd_auth_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
Nov 12 21:57:44 fedora sshd-session[6287]: debug1: mm_answer_state: config len 3835
Nov 12 21:57:44 fedora sshd-session[6287]: debug1: SELinux support enabled [preauth]
Nov 12 21:57:44 fedora sshd-session[6287]: debug1: ssh_selinux_change_context: setting context from 'system_u:system_r:sshd_auth_t:s0-s0:c0.c1023' to 'system_u:system_r:sshd_net_t:s0-s0:c0.c1023' [preauth]
Nov 12 21:57:44 fedora sshd-session[6287]: debug1: permanently_set_uid: 74/74 [preauth]
Nov 12 21:57:44 fedora sshd-session[6287]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Nov 12 21:57:44 fedora sshd-session[6287]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Nov 12 21:57:44 fedora audit[6290]: AVC avc:  denied  { write } for  pid=6290 comm="sshd-auth" path="socket:[46503]" dev="sockfs" ino=46503 scontext=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=0
Nov 12 21:57:44 fedora sshd-session[6287]: ssh_dispatch_run_fatal: Connection from UNKNOWN port 65535: Permission denied [preauth]
Nov 12 21:57:44 fedora sshd-session[6287]: debug1: monitor_read_log: child log fd closed
Nov 12 21:57:44 fedora sshd-session[6287]: debug1: mm_reap: preauth child exited with status 255
Nov 12 21:57:44 fedora sshd-session[6287]: debug1: do_cleanup
Nov 12 21:57:44 fedora sshd-session[6287]: debug1: Killing privsep child 6290
Nov 12 21:57:44 fedora audit[6287]: AUDIT1112 pid=6287 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 msg='op=login acct="(unknown)" exe="/usr/libexec/openssh/sshd-session" hostname=? addr=UNKNOWN terminal=ssh res=failed'
Nov 12 21:57:44 fedora systemd[1]: sshd@15-8199-3:22-2:1049463652.service: Deactivated successfully.
Nov 12 21:57:44 fedora audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sshd@15-8199-3:22-2:1049463652 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

It seems like sshd-auth being unable to write to the vsock is the proximate cause of failure at the moment.

Can you check if the following module resolves the issue?

# cat local_ssh_vsock.cil
(allow sshd_session_t sshd_t (vsock_socket (read write)))
# semodule -i local_ssh_vsock.cil

No, not for me. But changing sshd_session_t to sshd_net_t (i.e. "(allow sshd_net_t sshd_t (vsock_socket (read write)))") seems to work, FWIW.

Same here, a sshd_net_t rule works. I do still get a denial:

type=AVC msg=audit(1762992002.599:141): avc:  denied  { getattr } for  pid=1063 comm="sshd-auth" scontext=system_u:system_r:sshd_auth_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1

but it seems to work okay. Not sure what sshd-auth is trying to do there, it doesn't log any errors itself. Maybe that could be a dontaudit?

I've been digging into this a bit, and I'm a little confused. Can I just ask: what is the purpose of the sshd_net_t preauth privsep mechanism now that sshd-auth and sshd_auth_t are a thing? From what I can gather:
 - sshd-auth does what used to be done in sshd_net_t (judging from the way the Fedora SELinux patches were rebased[1])
 - sshd-auth doesn't seem to do much(?) before it does the sshd_auth_t -> sshd_net_t transition
 - Minus `typeattribute nsswitch_domain sshd_auth_t`, the set of allow rules for sshd_auth_t and sshd_net_t look pretty similar

I also noticed that the introduction of sshd_session_t and sshd_auth_t dropped vsock perms from sshd_net_t.[2] Is this related?

[1]: https://src.fedoraproject.org/rpms/openssh/c/6330768ca86ff2194758a9fb37c0d7b4114abeb5?branch=rawhide, openssh-6.6.1p1-selinux-contexts.patch -> 0018-openssh-6.6.1p1-selinux-contexts.patch, @@ -116,16 +129,19 @@
[2]: https://github.com/fedora-selinux/selinux-policy/commit/efa131d050dd69a07f030c3dc5c8e189bdc49fd3#diff-352a7870f53f781c780c06a5fa48868a5b6dbf2e423d6d041d8196b54defe314L652

You are right that the openssh patches can be dropped now.
I dropped the permissions when I felt they are not needed any longer, I will fix it soon.
Certainly when the sshd-net patches are dropped, the permissions will be needed for session/auth.

Latest Rawhide still affected (needs workaround from bob).
My Host (no change needed): 42 (Workstation Edition)
My (affected) Guest (installed from Fedora-Server-netinst-x86_64-Rawhide-20251113.n.0.iso): 44 (Server Edition Prerelease)

Using final local_ssh_vsock.cil:

;; local_ssh_vsock.cil - fix broken 'ssh vsock/X'
;; https://bugzilla.redhat.com/show_bug.cgi?id=2406423
(allow sshd_net_t sshd_t (vsock_socket (read write)))

Installed with:  semodule -i local_ssh_vsock.cil 
Presence checked with:

 $ semodule -l | grep local_ssh_vsock
 local_ssh_vsock


Please note that without fix it is very hard do find cause for regular user. Client (Host) just throws:

 $ ssh vsock/3                                                                            
 Connection closed by UNKNOWN port 0 

While Server (Guest) just shows in journald:

 sshd-session[950]: ssh_dispatch_run_fatal: Connection from UNKNOWN port 65535: Permission denied [preauth]

Package details:

$ dnf info selinux-policy-targeted
Updating and loading repositories:
Repositories loaded.
Installed packages
Name            : selinux-policy-targeted
Epoch           : 0
Version         : 42.15
Release         : 1.fc44
Architecture    : noarch
Installed size  : 18.7 MiB
Source          : selinux-policy-42.15-1.fc44.src.rpm
From repository : rawhide
Summary         : SELinux targeted policy
URL             : https://github.com/fedora-selinux/selinux-policy
License         : GPL-2.0-or-later
Description     : SELinux targeted policy package.
Vendor          : Fedora Project

The issue is expectedly fixed in selinux-policy-42.17-1

Thanks!

selinux-policy-42.17-1 fixes problem for me - both Rawhide and F43 works fine.
(I'm not Reporter so I'm not changing resolution.)

(In reply to Henryk Paluch (Work) from comment #7)
> Latest Rawhide still affected (needs workaround from bob).
> My Host (no change needed): 42 (Workstation Edition)

I think that's just because Fedora 42 is still on sshd < 10.0

Right, you need F43+ to have sshd-auth.

Can someone with F43+ try to remove all local modules and update to the 42.19 build?

semodule -r local_ssh_vsock
semodule -lfull|grep -v ^[12]00

I just installed a clean Fedora 43+updates VM to test (which gets selinux-policy-42.18). ssh qemu/fedora43 works, although there's still an annoying denial in /var/log/audit/audit.log:

type=AVC msg=audit(1765241449.815:120): avc:  denied  { getattr } for  pid=1037 comm="sshd-auth" scontext=system_u:system_r:sshd_auth_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1

"semodule -lfull|grep -v ^[12]00" shows no output.

Installing selinux-policy-42.19 from updates-testing has the same results:

type=AVC msg=audit(1765241721.016:79): avc:  denied  { getattr } for  pid=944 comm="sshd-auth" scontext=system_u:system_r:sshd_auth_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1

Thanks, you can now try the coprbuild in
https://github.com/fedora-selinux/selinux-policy/pull/2989

(In reply to Chris Adams from comment #12)
> I just installed a clean Fedora 43+updates VM to test (which gets
> selinux-policy-42.18). ssh qemu/fedora43 works, although there's still an
> annoying denial in /var/log/audit/audit.log:
> 
> type=AVC msg=audit(1765241449.815:120): avc:  denied  { getattr } for 
> pid=1037 comm="sshd-auth"
> scontext=system_u:system_r:sshd_auth_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket
> permissive=1
> 
> "semodule -lfull|grep -v ^[12]00" shows no output.
> 
> Installing selinux-policy-42.19 from updates-testing has the same results:
> 
> type=AVC msg=audit(1765241721.016:79): avc:  denied  { getattr } for 
> pid=944 comm="sshd-auth"
> scontext=system_u:system_r:sshd_auth_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket
> permissive=1

In my case both is true:

1. avc denied message in guest
2. however vsock connection works properly - guest F43, package selinux-policy-targeted-42.19-1.fc43.noarch

What is puzzling me that we have at same time "avc:  denied" but also "permissive=1" - even in default enforcing+targeted mode. So I'm unable to understand what actually happens (was getattr denied or not?).

With the latest selinux-policy, do your scenarios work in SELinux enforcing mode?