amnezia-vpn/amnezia-client

Connection doesn't work on Fedora Kinoite

Knebergish opened this issue · 0 comments

Knebergish commented

Describe the bug
Connection to the server does not work after installation on Fedora 39 Kinoite with the error mentioned below.

To Reproduce

  1. Install AmneziaVPN client
  2. Run the application
  3. Press "Connect" button

Expected behavior
Connection to the server is successfully established.

Actual behavior
"Internal error" message appeared.

Log files
In the logs of the application:

"ConnectToVpn, Server index is 0, container is amnezia-awg, route mode is" Settings::VpnAllSites
IpcClient::init failed
Error occurred when init IPC client

In the journald:

fedora systemd[1]: AmneziaVPN.service: Scheduled restart job, restart counter is at 571.
fedora audit[25405]: AVC avc: denied { execute } for pid=25405 comm="(rvice.sh)" name="AmneziaVPN-service.sh" dev="dm-7" ino=1450316 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
fedora (rvice.sh)[25405]: AmneziaVPN.service: Failed to locate executable /opt/AmneziaVPN/service/AmneziaVPN-service.sh: Permission denied
fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=AmneziaVPN comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
fedora (rvice.sh)[25405]: AmneziaVPN.service: Failed at step EXEC spawning /opt/AmneziaVPN/service/AmneziaVPN-service.sh: Permission denied
fedora systemd[1]: Started AmneziaVPN.service - AmneziaVPN Service.
fedora systemd[1]: AmneziaVPN.service: Main process exited, code=exited, status=203/EXEC
fedora systemd[1]: AmneziaVPN.service: Failed with result 'exit-code'.
fedora audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=AmneziaVPN comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

Desktop

  • OS: Fedora 39 Kinoite
  • AmneziaVPN Version: 4.1.0.1 or 4.3.0.0 Pre Release

Server

  • OS: Ubuntu 22.04

Additional context
As you can see in the journald logs, AmneziaVPN.service can't start because of selinux policies, and simply enters the endless restart cycle.
I'm not an expert in the configuration of things like that, but I managed to solve the problem by copying the security context from the /usr/bin/ folder to the folder with the application:
sudo chcon --reference=/usr/bin/ /opt/AmneziaVPN/ -R

Initial context of the application folder:

> ls -Zd /opt/AmneziaVPN/
unconfined_u:object_r:var_t:s0 /opt/AmneziaVPN/

After fix:

> ls -Zd /opt/AmneziaVPN/
system_u:object_r:bin_t:s0 /opt/AmneziaVPN/

It may not be the right solution to the problem, but at least it works - after changing the context, the service successfully starts, and the connection to the server is successfully established.
Maybe we can add a similar configuration to the installation process of the application on environments with selinux? If not, at least anyone can find a workaround here.

An additional (but very less important) problem: post_install.sh script contains lines like that:

echo "user desktop creation loop started" >> $LOG_FILE
sudo cp $APP_PATH/$APP_NAME.desktop /usr/share/applications/ >> $LOG_FILE
sudo cp $APP_PATH/$APP_NAME.png /usr/share/pixmaps/ >> $LOG_FILE
sudo chmod 555 /usr/share/applications/$APP_NAME.desktop >> $LOG_FILE

Unfortunately, on immutable systems such as Fedora Silverblue or Fedora Kinoite, the /usr/share/ path is mounted as read-only, and the execution of these lines ends with errors:

cp: cannot create regular file '/usr/share/applications/AmneziaVPN.desktop': Read-only file system
cp: cannot create regular file '/usr/share/pixmaps/AmneziaVPN.png': Read-only file system
chmod: cannot access '/usr/share/applications/AmneziaVPN.desktop': No such file or directory

So, no application entry are created. As a workaround, I placed the .desktop file in the ~/.local/share/applications/ directory, and specified the path to the image to the application folder directly (Icon=/opt/AmneziaVPN/AmneziaVPN.png). It worked successfully on my environment.

If you think that the application should not support the installation on such an environment, then you can close this issue, no problem - manual fix takes a little time. If someone else encounters such problems, even that one comment may be useful.

Thank you for such a great application!