SELinux policy for Tailscale
- Fedora 37
- Service Start and Stop
- Tailscale SSH for unconfined users only
dnf install selinux-policy-develgit clone [email protected]:abhiseksanyal/tailscale-selinux-policy.git
cd tailscale-selinux-policy
make -f /usr/share/selinux/devel/Makefile tailscaled.ppThis will create the policy file "tailscaled.pp"
Environment tested on
- Tailscale 1.34.2
- Fedora 37
- Kernel 6.1.6-200.fc37.x86_64
ps -q $(pidof tailscaled) -o pid,label,commOutput will be something like
PID LABEL COMMAND
221929 system_u:system_r:unconfined_service_t:s0 tailscaled
NOTE: You can also run something like ps -eafZ
Stop tailscale service
sudo systemctl stop tailscaledsudo semodule -i tailscaled.ppsudo restorecon /usr/sbin/tailscaled
sudo restorecon /lib/systemd/system/tailscaled.service
sudo restorecon -R /var/lib/tailscale
sudo restorecon -R /var/run/tailscaleThis is required only once, until Tailscale is reinstalled
NOTE: Ignore restorecon error, if it fails to find "/var/run/tailscale"
Start tailscale service
sudo systemctl start tailscaledCheck the context
ps -q $(pidof tailscaled) -o pid,label,commOutput will be something like
PID LABEL COMMAND
222705 system_u:system_r:tailscaled_t:s0 tailscaled
NOTE: You can also run something like ps -eafZ
Tailscale service is now running as a confined service with a context of "tailscaled_t"
- Stop tailscale service
- Unload the SELinux policy using the following command
sudo semodule -r tailscaled- Restore the context for Tailscale files
sudo restorecon /usr/sbin/tailscaled
sudo restorecon /lib/systemd/system/tailscaled.service
sudo restorecon -R /var/lib/tailscale
sudo restorecon -R /var/run/tailscaleNOTE: Ignore restorecon error, if it fails to find "/var/run/tailscale"
- Start tailscale service