search

tailscale / tailscale

The easiest, most secure way to use WireGuard and 2FA.
https://tailscale.com
BSD 3-Clause "New" or "Revised" License
17.47k stars 1.33k forks source link

Tailscale SSH broken on SELinux #12442

Open cshei opened 2 weeks ago

cshei commented 2 weeks ago

What is the issue?

https://github.com/tailscale/tailscale/commit/08a9551a73adb220dc0ed1b71a2d5845efc754b8 appears to have removed some SELinux related workarounds and results in a "no shell: Permission denied" error when using Tailscale SSH to a Fedora 40 host.

Steps to reproduce

Ssh to Fedora 40 machine (with default SELinux settings) using Tailscale SSH. This fails with a "no shell: Permission denied" error.

Are there any recent changes that introduced the issue?

Updated to 1.68

OS

Linux

OS version

Fedora 40

Tailscale version

1.68.0

Other software

No response

Bug report

No response

oxtoacart commented 2 weeks ago

Looking into this now.

tswfi commented 2 weeks ago

happens on rockylinux9 also.

ssh as root to the machine works. as a regular user gives the no shell: Permission denied error

dnf downgrade tailscale helps (well at least for a while until automatic updates update it back up :)

tswfi commented 2 weeks ago

also ref to this old issue: https://github.com/tailscale/tailscale/issues/4908 (Which could probably be closed as it is really old and selinux rules seem to work on 1.66.4)

andrewbenton commented 2 weeks ago

I'm running into the same issue, also with Fedora 40 machines. I've found that the workaround mentioned in #4908 where you use tailscale ssh <host> -t /bin/bash gets around the issue for now.