Tailscale SSH feature is not working while selinux enabled

Project Discussion
1

I am using tailscale intensively and new ssh feature is very good to have in coreos but unfortunately while selinux enabled this ssh feature is not working.

Only way I can workaround is disable selinux (kargs selinux=0) or put selinux permissive mode (kargs enforcing=0).

Here is the logs:

From fedora 37 Silveblue

$ ssh core@100.91.102.000
Last login: Mon Oct 17 16:13:10 from 192.168.1.236
Fedora CoreOS 37.20221008.1.0
core: no shell: Permission denied
Connection to 100.91.102.000 closed.
$

To coreos

[core@coreos ~]$ journalctl -f
Oct 17 16:15:49 coreos tailscaled[846]: wgengine: idle peer [iyjH1] now active, reconfiguring WireGuard
Oct 17 16:15:49 coreos tailscaled[846]: wgengine: Reconfig: configuring userspace WireGuard config (with 1/4 peers)
Oct 17 16:15:49 coreos tailscaled[846]: magicsock: disco: node [iyjH1] d:4fedf6ffca504e66 now using 192.168.1.236:41641
Oct 17 16:15:49 coreos tailscaled[846]: Accept: TCP{100.81.178.000:38186 > 100.91.102.000:22} 60 tcp ok
Oct 17 16:15:49 coreos tailscaled[846]: Accept: TCP{100.81.178.000:38186 > 100.91.102.000:22} 52 tcp non-syn
Oct 17 16:15:49 coreos tailscaled[846]: Accept: TCP{100.81.178.000:38186 > 100.91.102.000:22} 73 tcp non-syn
Oct 17 16:15:51 coreos tailscaled[846]: ssh-conn-20221017T141549-d00eb501ef: handling conn: 100.81.178.000:38186->core@100.91.102.000:22
Oct 17 16:15:51 coreos tailscaled[846]: ssh-conn-20221017T141549-d00eb501ef: starting session: sess-20221017T141551-346ab4ffeb
Oct 17 16:15:51 coreos tailscaled[846]: ssh-session(sess-20221017T141551-346ab4ffeb): handling new SSH connection from mymail@mymail.com (100.81.178.000) to ssh-user "core"
Oct 17 16:15:51 coreos tailscaled[846]: ssh-session(sess-20221017T141551-346ab4ffeb): access granted to mymail@mymail.com as ssh-user "core"
Oct 17 16:15:51 coreos tailscaled[846]: ssh-session(sess-20221017T141551-346ab4ffeb): starting pty command: [/usr/sbin/tailscaled be-child ssh --uid=1000 --gid=1000 --groups=1000,4,10,16,190,982 --local-user=core --remote-user=mymail@mymail.com --remote-ip=100.81.178.000 --has-tty=true --tty-name=pts/1 --shell --login-cmd=/usr/bin/login --cmd=/bin/bash -- -l]
Oct 17 16:15:51 coreos audit[2228]: USER_ACCT pid=2228 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="core" exe="/usr/bin/login" hostname=100.81.178.000 addr=100.81.178.000 terminal=/dev/pts/1 res=success'
Oct 17 16:15:51 coreos kernel: audit: type=1101 audit(1666016151.485:309): pid=2228 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="core" exe="/usr/bin/login" hostname=100.81.178.000 addr=100.81.178.000 terminal=/dev/pts/1 res=success'
Oct 17 16:15:51 coreos audit[2228]: CRED_ACQ pid=2228 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="core" exe="/usr/bin/login" hostname=100.81.178.000 addr=100.81.178.000 terminal=/dev/pts/1 res=success'
Oct 17 16:15:51 coreos audit[2228]: SYSCALL arch=c00000b7 syscall=64 success=yes exit=4 a0=3 a1=ffffc23259b0 a2=4 a3=1 items=0 ppid=846 pid=2228 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=1000 fsgid=0 tty=pts1 ses=4 comm="login" exe="/usr/bin/login" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
Oct 17 16:15:51 coreos audit: PROCTITLE proctitle=2F7573722F62696E2F6C6F67696E002D660000000000002D68003130302E38312E3137382E3338002D70
Oct 17 16:15:51 coreos audit[2228]: USER_ROLE_CHANGE pid=2228 uid=0 auid=1000 ses=4 subj=system_u:system_r:unconfined_service_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0 selected-context=unconfined_u:unconfined_r:unconfined_t:s0 exe="/usr/bin/login" hostname=100.81.178.000 addr=100.81.178.000 terminal=/dev/pts/1 res=success'
Oct 17 16:15:51 coreos kernel: audit: type=1103 audit(1666016151.495:310): pid=2228 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="core" exe="/usr/bin/login" hostname=100.81.178.000 addr=100.81.178.000 terminal=/dev/pts/1 res=success'
Oct 17 16:15:51 coreos kernel: audit: type=1006 audit(1666016151.495:311): pid=2228 uid=0 subj=system_u:system_r:unconfined_service_t:s0 old-auid=4294967295 auid=1000 tty=pts1 old-ses=4294967295 ses=4 res=1
Oct 17 16:15:51 coreos kernel: audit: type=1300 audit(1666016151.495:311): arch=c00000b7 syscall=64 success=yes exit=4 a0=3 a1=ffffc23259b0 a2=4 a3=1 items=0 ppid=846 pid=2228 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=1000 fsgid=0 tty=pts1 ses=4 comm="login" exe="/usr/bin/login" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
Oct 17 16:15:51 coreos kernel: audit: type=1327 audit(1666016151.495:311): proctitle=2F7573722F62696E2F6C6F67696E002D660000000000002D68003130302E38312E3137382E3338002D70
Oct 17 16:15:51 coreos kernel: audit: type=2300 audit(1666016151.495:312): pid=2228 uid=0 auid=1000 ses=4 subj=system_u:system_r:unconfined_service_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0 selected-context=unconfined_u:unconfined_r:unconfined_t:s0 exe="/usr/bin/login" hostname=100.81.178.000 addr=100.81.178.000 terminal=/dev/pts/1 res=success'
Oct 17 16:15:51 coreos systemd-logind[784]: New session 4 of user core.
Oct 17 16:15:51 coreos systemd[1]: Started session-4.scope - Session 4 of User core.
Oct 17 16:15:51 coreos login[2228]: pam_unix(remote:session): session opened for user core(uid=1000) by (uid=0)
Oct 17 16:15:51 coreos audit[2228]: USER_START pid=2228 uid=0 auid=1000 ses=4 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="core" exe="/usr/bin/login" hostname=100.81.178.000 addr=100.81.178.000 terminal=/dev/pts/1 res=success'
Oct 17 16:15:51 coreos audit[2228]: CRED_REFR pid=2228 uid=0 auid=1000 ses=4 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="core" exe="/usr/bin/login" hostname=100.81.178.000 addr=100.81.178.000 terminal=/dev/pts/1 res=success'
Oct 17 16:15:51 coreos audit[2228]: USER_LOGIN pid=2228 uid=0 auid=1000 ses=4 subj=system_u:system_r:unconfined_service_t:s0 msg='op=login id=1000 exe="/usr/bin/login" hostname=100.81.178.000 addr=100.81.178.000 terminal=pts/1 res=success'
Oct 17 16:15:51 coreos login[2228]: LOGIN ON pts/1 BY core FROM 100.81.178.000
Oct 17 16:15:51 coreos audit[2233]: AVC avc:  denied  { transition } for  pid=2233 comm="login" path="/usr/bin/bash" dev="mmcblk1p4" ino=532455 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
Oct 17 16:15:51 coreos kernel: audit: type=1105 audit(1666016151.545:313): pid=2228 uid=0 auid=1000 ses=4 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="core" exe="/usr/bin/login" hostname=100.81.178.000 addr=100.81.178.000 terminal=/dev/pts/1 res=success'
Oct 17 16:15:51 coreos kernel: audit: type=1110 audit(1666016151.545:314): pid=2228 uid=0 auid=1000 ses=4 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="core" exe="/usr/bin/login" hostname=100.81.178.000 addr=100.81.178.000 terminal=/dev/pts/1 res=success'
Oct 17 16:15:51 coreos kernel: audit: type=1112 audit(1666016151.545:315): pid=2228 uid=0 auid=1000 ses=4 subj=system_u:system_r:unconfined_service_t:s0 msg='op=login id=1000 exe="/usr/bin/login" hostname=100.81.178.000 addr=100.81.178.000 terminal=pts/1 res=success'
Oct 17 16:15:51 coreos kernel: audit: type=1400 audit(1666016151.545:316): avc:  denied  { transition } for  pid=2233 comm="login" path="/usr/bin/bash" dev="mmcblk1p4" ino=532455 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
Oct 17 16:15:51 coreos audit[2233]: SYSCALL arch=c00000b7 syscall=221 success=no exit=-13 a0=aaaac3ca10bd a1=ffffc2325d60 a2=aaaac3c92200 a3=2aaab0f2842f4 items=0 ppid=2228 pid=2233 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4 comm="login" exe="/usr/bin/login" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
Oct 17 16:15:51 coreos audit: PROCTITLE proctitle=6C6F67696E202D2D20636F7265
Oct 17 16:15:51 coreos audit[2228]: CRED_DISP pid=2228 uid=0 auid=1000 ses=4 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="core" exe="/usr/bin/login" hostname=100.81.178.000 addr=100.81.178.000 terminal=/dev/pts/1 res=success'
Oct 17 16:15:51 coreos login[2228]: pam_unix(remote:session): session closed for user core
Oct 17 16:15:51 coreos audit[2228]: USER_END pid=2228 uid=0 auid=1000 ses=4 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="core" exe="/usr/bin/login" hostname=100.81.178.000 addr=100.81.178.000 terminal=/dev/pts/1 res=success'
Oct 17 16:15:51 coreos tailscaled[846]: ssh-session(sess-20221017T141551-346ab4ffeb): Session complete
Oct 17 16:15:51 coreos systemd[1]: session-4.scope: Deactivated successfully.
Oct 17 16:15:51 coreos systemd-logind[784]: Session 4 logged out. Waiting for processes to exit.
Oct 17 16:15:51 coreos systemd-logind[784]: Removed session 4.
^C
[core@coreos ~]$

Selinux context of tailscale & tailscaled:

[core@coreos ~]$ ls -lZ /usr/bin/tailscale /usr/sbin/tailscaled 
-rwxr-xr-x. 2 root root system_u:object_r:bin_t:s0 13521479 Jan  1  1970 /usr/bin/tailscale
-rwxr-xr-x. 2 root root system_u:object_r:bin_t:s0 23945355 Jan  1  1970 /usr/sbin/tailscaled
[core@coreos ~]$

Upstream issue link: ssh: handle SELinux somehow? · Issue #4908 · tailscale/tailscale · GitHub

2

Commented upstream

3

What you suggest in upstream issue is not working.
I use this ignition to test.

systemd:
  units:
    - name: tailscaled.service
      enabled: true
      dropins:
      - name: change-security-context.conf
        contents: |
          [Service]
          ExecStartPre=
          ExecStartPre=/usr/bin/cp -a /usr/sbin/tailscaled /var/usrlocal/sbin/
          ExecStartPre=/usr/bin/chcon --reference=/usr/sbin/sshd /var/usrlocal/sbin/tailscaled
          ExecStartPre=/var/usrlocal/sbin/tailscaled --cleanup
          ExecStart=
          ExecStart=/var/usrlocal/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS
          ExecStopPost=
          ExecStopPost=/var/usrlocal/sbin/tailscaled --cleanup

If I use this modifications from terminal manually it works. But from systemd service is not working.