Correct way to handle SELinux for a systemd-started SSH VPN
- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
I am starting an SSH VPN connection with a systemd service. It's just a
simple service, with an ExecStart to run ssh. If I wrap it with a shell
(ExecStart=/bin/sh -c "/usr/bin/ssh %i"), it runs; if I take out the
shell wrap (ExecStart=/usr/bin/ssh %i), it fails due to SELinux not
allowing it. If I set permissive mode, there's a whole lot of different
things that init_t is not allowed to do. :)
So obviously I can just run with the shell wrapper, but is there a more
proper way to do this?
--
Chris Adams <linux(a)cmadams.net>
On Sun, Nov 13, 2022 at 4:34 AM Chris Adams <linux(a)cmadams.net> wrote:
I am starting an SSH VPN connection with a systemd service. It's
just a
simple service, with an ExecStart to run ssh. If I wrap it with a shell
(ExecStart=/bin/sh -c "/usr/bin/ssh %i"), it runs; if I take out the
shell wrap (ExecStart=/usr/bin/ssh %i), it fails due to SELinux not
allowing it. If I set permissive mode, there's a whole lot of different
things that init_t is not allowed to do. :)
So obviously I can just run with the shell wrapper, but is there a more
proper way to do this?
You can create your own policy module and use e. g. the
init_system_domain() interface.
Does this need to be a system service or would user service also do the job?
--
Chris Adams <linux(a)cmadams.net>
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek Pytela
Security SELinux team
Once upon a time, Zdenek Pytela <zpytela(a)redhat.com> said:
On Sun, Nov 13, 2022 at 4:34 AM Chris Adams <linux(a)cmadams.net>
wrote:
> I am starting an SSH VPN connection with a systemd service. It's just a
> simple service, with an ExecStart to run ssh. If I wrap it with a shell
> (ExecStart=/bin/sh -c "/usr/bin/ssh %i"), it runs; if I take out the
> shell wrap (ExecStart=/usr/bin/ssh %i), it fails due to SELinux not
> allowing it. If I set permissive mode, there's a whole lot of different
> things that init_t is not allowed to do. :)
>
> So obviously I can just run with the shell wrapper, but is there a more
> proper way to do this?
>
You can create your own policy module and use e. g. the
init_system_domain() interface.
How would I go about doing that - is there a tutorial or something?
I've done basic things with local policy (mostly from running
audit2allow).
Does this need to be a system service or would user service also do
the job?
It's setting up a network interface, so I think that's more a system
than user service.
--
Chris Adams <linux(a)cmadams.net>
524
days inactive
532
days old
selinux@lists.fedoraproject.org
2 comments
2 participants
tags (0)
participants (2)
-
Chris Adams -
Zdenek Pytela