Ssh-tunnel from systemd-service

Ask Fedora
1

I need permanent ssh-tunnel and setup launch via systemd service, but it not work with error

feb 25 23:11:41 inuc systemd[1]: Started cmp-tun-ssh.service - Systemd unit for ssh tunnel.
feb 25 23:11:41 inuc audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=‘unit=cmp-tun-ssh comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
feb 25 23:11:41 inuc audit[198394]: AVC avc: denied { execute } for pid=198394 comm=“(ssh)” name=“ssh” dev=“dm-0” ino=2245088 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=0
feb 25 23:11:41 inuc (ssh)[198394]: cmp-tun-ssh.service: Unable to locate executable ‘/usr/bin/ssh’: Permission denied
feb 25 23:11:41 inuc (ssh)[198394]: cmp-tun-ssh.service: Failed at step EXEC spawning /usr/bin/ssh: Permission denied
feb 25 23:11:41 inuc systemd[1]: cmp-tun-ssh.service: Main process exited, code=exited, status=203/EXEC
feb 25 23:11:41 inuc systemd[1]: cmp-tun-ssh.service: Failed with result ‘exit-code’.
feb 25 23:11:41 inuc audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=‘unit=cmp-tun-ssh comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=failed’

File /usr/bin/ssh have invalid SELinux context, i am copy it to /usr/bin/sshx and update unit-file and all work fine, but how to do it normally?

2

Maybe using sshuttle would work. I found this for a systemd-service:

# (0) Replace the gateway server name and the subnet address with your own values.
# (1) Put this file into ~/.config/systemd/user/sshuttle.service
# (2) Invoke `systemctl --user daemon-reload`
# (3) Invoke `systemctl --user start sshuttle.service`

[Unit]
Description=sshuttle
Requires=gpg-agent-ssh.socket
After=gpg-agent-ssh.socket

[Service]
Type=simple
Environment=SSH_AUTH_SOCK=/run/user/%U/gnupg/S.gpg-agent.ssh
ExecStart=/usr/bin/sshuttle --remote=ssh-gateway-server.example.jp 198.51.100.0/24

[Install]
WantedBy=default.target

Found this here: https://gist.github.com/tsuchm/2d26f23246ee1253e61ef6d16fe96674

The man page for sshuttle online is here: https://sshuttle.readthedocs.io/en/stable/usage.html

3

I use openvpn, but now it not work, i think provider is ban protocol, ok, now traffic run via vless and sing-box, but server not support normal tun/tap device and i can’t forward incoming connections to end-host.

And i setup ssh p2p for this (create tun/tap with Tunnel=Ethernet option), but selinux policy prohibits little hac. It’s easier to turn it off

4

You don’t have to turn it off completely. Try this instead to just allow the systemd service to run ssh:

semanage fcontext -a -t bin_t '/usr/bin/ssh'
restorecon -v /usr/bin/ssh

Then see if your systemd service will work while SELinux is enabled.

5

Yes - it work, thanks.

But after dnf update system permissions lost?

I not sure, maby need create ticket, ssh-tunnel is normal practic, not best, not ugly, just work.

6

I found similar problems with Fedora 37 on this site. Why differece permission for this file.

7

No, the permissions will not be lost after an update or full system upgrade.

The semanage command allows you to define permissions that will persist.

You can use semanage -o to see what custom permissions have been set.

It is complicated, but the reason access to ssh is restricted for system services is because it could be used maliciously to gain access to your system or to exfiltrate information (and system services don’t normally need access to it anyway).

1 Like
8

Ok. Thank you