Qubes-vpn-support fails with SELinux Enforcing

QubesOS / qubes-issues

The Qubes OS Project issue tracker

https://www.qubes-os.org/doc/issue-tracking/

532 stars 46 forks source link

Qubes-vpn-support fails with SELinux Enforcing #8565

Open dylangerdaly opened 11 months ago

dylangerdaly commented 11 months ago

Qubes OS release

4.2RC3

Brief summary

When running with SELinux enforcing, I'm unable to use the Qubes-vpn-support project (with https://github.com/tasket/Qubes-vpn-support/pull/75)

Due to SELinux not labeling the service correctly

-rw-r--r--. 1 root root system_u:object_r:systemd_unit_file_t:s0  183 Sep 10 01:00 /lib/systemd/system/qubes-updates-proxy-forwarder@.service
-rw-r--r--. 1 root root system_u:object_r:systemd_unit_file_t:s0  313 Sep 10 01:00 /lib/systemd/system/qubes-updates-proxy.service
-rwxr-xr-x. 1 root root unconfined_u:object_r:user_home_t:s0     1545 Oct  5 00:58 /lib/systemd/system/qubes-vpn-handler.service

Steps to reproduce

Use the standard fedora-38 (non-xfce) template and install Qubes-vpn-support

Expected behavior

VPN connect successfully

Actual behavior

SELinux breaks because restorecon isn't run, or SELinux rules aren't being applied correctly

marmarek commented 11 months ago

Ok, so you identified which label is wrong already :) What if you run restorecon on it? Does it help? If yes, I guess it needs to be added to the installation instruction.

dylangerdaly commented 11 months ago

The above can be fixed by adding

restorecon -v /lib/systemd/system/*
chcon --reference=/usr/lib/qubes/qopen-in-vm -R qubes-vpn-*

diff

diff --git a/files-main/rc.local b/files-main/rc.local
index bb07274..c3de1f9 100644
--- a/files-main/rc.local
+++ b/files-main/rc.local
@@ -13,6 +13,8 @@ sync
 ln -s -f /rw/config/qubes-vpn-ns /usr/lib/qubes/qubes-vpn-ns
 ln -s -f /rw/config/qubes-vpn-openvpn-script /usr/lib/qubes/qubes-vpn-openvpn-script
 ln -s -f /rw/config/qubes-vpn-setup /usr/lib/qubes/qubes-vpn-setup
+restorecon -v /lib/systemd/system/*
+chcon --reference=/usr/lib/qubes/qopen-in-vm -R qubes-vpn-*

 # Start tunnel service
 systemctl daemon-reload
diff --git a/install b/install
old mode 100644
new mode 100755

The qubes-vpn scripts need to have a context of system_u:object_r:bin_t:s0 and restorecon fixes qubes-vpn-handler.service

But the rules should be added/mainline'd properly, this is a hacky fix

michaelschefczyk commented 5 months ago

It would be very kind if you could solve this issue. When switching from Fedora 38 to Fedora 39, VPN with certificates does otherwise fail suddenly.

Adding the above to rc.local for sys-net (I did not try the template) did not solve the issue for me. Adding just "setenforce 0" (thanks to this hint: https://forum.qubes-os.org/t/openvpn-with-fedora-39-as-sys-net/25398/5) does do the job. However, a reasonably secure operating system might do better than just disable selinux for sys-net altogether.