lzc256
/
tailscale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
tailscale/ipn
History
Maisem Ali 2ae670eb71 ssh/tailssh: work around lack of scontext in SELinux 
Trying to SSH when SELinux is enforced results in errors like:

```
➜  ~ ssh ec2-user@<ip>
Last login: Thu Jun  1 22:51:44 from <ip2>
ec2-user: no shell: Permission denied
Connection to <ip> closed.
```

while the `/var/log/audit/audit.log` has
```
type=AVC msg=audit(1685661291.067:465): avc:  denied  { transition } for  pid=5296 comm="login" path="/usr/bin/bash" dev="nvme0n1p1" ino=2564 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
```

The right fix here would be to somehow install the appropriate context when
tailscale is installed on host, but until we figure out a way to do that
stop using the `login` cmd in these situations.

Updates #4908

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 		2023-06-20 10:44:22 -07:00
..
ipnauth all: update copyright and license headers 2023-01-27 15:36:29 -08:00
ipnlocal ssh/tailssh: work around lack of scontext in SELinux 2023-06-20 10:44:22 -07:00
ipnserver tsd: add package with System type to unify subsystem init, discovery 2023-05-04 14:21:59 -07:00
ipnstate version: detect tvOS by checking XPC_SERVICE_NAME (#8295) 2023-06-07 12:19:31 -07:00
localapi tka: provide verify-deeplink local API endpoint (#8303) 2023-06-13 11:39:23 -07:00
policy ipn: prefer allow/denylist terminology 2023-04-04 08:02:50 -07:00
store ipn/store/awsstore: persist state with intelligent tiering 2023-04-24 14:35:13 -04:00
backend.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
doc.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
fake_test.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
ipn_clone.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
ipn_view.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
prefs.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
prefs_test.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
serve.go cmd/tailscale/cli: do not allow turning Funnel on while shields-up (#7770) 2023-04-04 22:20:27 -04:00
serve_test.go ipn: add Funnel port check from nodeAttr 2023-03-11 11:20:52 -08:00
store.go ipn/store: add support for stores to hook into a custom dialer 2023-03-29 16:35:46 -07:00