Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Qubes-vpn-support fails with SELinux Enforcing #8565

Open
dylangerdaly opened this issue Oct 5, 2023 · 3 comments
Open

Qubes-vpn-support fails with SELinux Enforcing #8565

dylangerdaly opened this issue Oct 5, 2023 · 3 comments
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: networking diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.

Comments

@dylangerdaly
Copy link

dylangerdaly commented Oct 5, 2023
edited
Loading

Qubes OS release

4.2RC3

Brief summary

When running with SELinux enforcing, I'm unable to use the Qubes-vpn-support project (with tasket/Qubes-vpn-support#75)

Due to SELinux not labeling the service correctly

-rw-r--r--. 1 root root system_u:object_r:systemd_unit_file_t:s0  183 Sep 10 01:00 /lib/systemd/system/[email protected]
-rw-r--r--. 1 root root system_u:object_r:systemd_unit_file_t:s0  313 Sep 10 01:00 /lib/systemd/system/qubes-updates-proxy.service
-rwxr-xr-x. 1 root root unconfined_u:object_r:user_home_t:s0     1545 Oct  5 00:58 /lib/systemd/system/qubes-vpn-handler.service

Steps to reproduce

Use the standard fedora-38 (non-xfce) template and install Qubes-vpn-support

Expected behavior

VPN connect successfully

Actual behavior

SELinux breaks because restorecon isn't run, or SELinux rules aren't being applied correctly
@dylangerdaly dylangerdaly added P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. labels Oct 5, 2023
@marmarek
Copy link
Member

marmarek commented Oct 5, 2023

Ok, so you identified which label is wrong already :) What if you run restorecon on it? Does it help?
If yes, I guess it needs to be added to the installation instruction.

@dylangerdaly
Copy link
Author

dylangerdaly commented Oct 5, 2023
edited
Loading

The above can be fixed by adding

restorecon -v /lib/systemd/system/*
chcon --reference=/usr/lib/qubes/qopen-in-vm -R qubes-vpn-*

diff

diff --git a/files-main/rc.local b/files-main/rc.local
index bb07274..c3de1f9 100644
--- a/files-main/rc.local
+++ b/files-main/rc.local
@@ -13,6 +13,8 @@ sync
 ln -s -f /rw/config/qubes-vpn-ns /usr/lib/qubes/qubes-vpn-ns
 ln -s -f /rw/config/qubes-vpn-openvpn-script /usr/lib/qubes/qubes-vpn-openvpn-script
 ln -s -f /rw/config/qubes-vpn-setup /usr/lib/qubes/qubes-vpn-setup
+restorecon -v /lib/systemd/system/*
+chcon --reference=/usr/lib/qubes/qopen-in-vm -R qubes-vpn-*
 
 # Start tunnel service
 systemctl daemon-reload
diff --git a/install b/install
old mode 100644
new mode 100755

The qubes-vpn scripts need to have a context of system_u:object_r:bin_t:s0 and restorecon fixes qubes-vpn-handler.service

But the rules should be added/mainline'd properly, this is a hacky fix

@andrewdavidwong andrewdavidwong added diagnosed Technical diagnosis has been performed (see issue comments). C: networking affects-4.2 This issue affects Qubes OS 4.2. labels Oct 6, 2023
@michaelschefczyk
Copy link

It would be very kind if you could solve this issue. When switching from Fedora 38 to Fedora 39, VPN with certificates does otherwise fail suddenly.

Adding the above to rc.local for sys-net (I did not try the template) did not solve the issue for me. Adding just "setenforce 0" (thanks to this hint: https://forum.qubes-os.org/t/openvpn-with-fedora-39-as-sys-net/25398/5) does do the job. However, a reasonably secure operating system might do better than just disable selinux for sys-net altogether.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: networking diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@marmarek @michaelschefczyk @dylangerdaly @andrewdavidwong