How to configure SELinux such that it will not block the execution of endlessh

I was prompted an execution error when I check on endlessh status, I believe SELinux is blocking that execution, how to let SELinux allow that execution?

[root@fedora endlessh]# systemctl status endlessh.service
× endlessh.service - Endlessh SSH Tarpit
     Loaded: loaded (/etc/systemd/system/endlessh.service; enabled; preset: disabled)
     Active: failed (Result: exit-code) since Tue 2023-01-03 19:17:46 +08; 12s ago
   Duration: 110ms
       Docs: man:endlessh(1)
    Process: 4331 ExecStart=/usr/local/bin/endlessh (code=exited, status=203/EXEC)
   Main PID: 4331 (code=exited, status=203/EXEC)
        CPU: 95ms

How it looks like in my configuration file:

[root@fedora endlessh]# sudo nano /etc/systemd/system/endlessh.service
[Unit]
Description=Endlessh SSH Tarpit
Documentation=man:endlessh(1)
Requires=network-online.target

[Service]
Type=simple
Restart=always
RestartSec=30sec
ExecStart=/usr/local/bin/endlessh      
KillSignal=SIGTERM

# Stop trying to restart the service if it restarts too many times in a row
StartLimitInterval=5min
StartLimitBurst=4

StandardOutput=journal
StandardError=journal
StandardInput=null

PrivateTmp=true
PrivateDevices=true
ProtectSystem=full
ProtectHome=true

#InaccessiblePaths=/run /var

## If you want Endlessh to bind on ports < 1024
## 1) run: 
##     setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh
## 2) uncomment following line
AmbientCapabilities=CAP_NET_BIND_SERVICE
## 3) comment following line
#PrivateUsers=true

NoNewPrivileges=true
ConfigurationDirectory=endlessh
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target

First off, you don't know at all if it's SELinux, you just suspect something. Second, SELinux isn't as simple as "it allows x process to run or not", it's much more than that. There's source context, target context, and action, among others.

First you need to collect the denied actions. Start logging actions denied by SELinux:

tail -f /var/log/audit/audit.log | grep denied

Then start endlessh and see if anything comes up. If not, then it's not SELinux. If yes, then save those denied actions into a textfile, e.g. endlessh.log.

Now tell SELinux to allow those actions:

audit2allow -i endlessh.log -M endlessh
semodule -i endlessh.pp

Now here comes the tricky part: SELinux will allow the specific action(s) found in the log file, but other, different actions might follow. Because an executable may do thousands of different things. It may wanna do things A, B, and C, but if SELinux blocks even action A, it won't even reach B and C, since it's already failed. So you need to keep iterating and adding those new denied actions, then restarting endlessh, until it finally works, and there's no new "denied" lines appearing in the audit log whatsoever, when you start endlessh.

Your other, probably more efficient option is to set SELinux to permissive, in which case it logs the denied actions, but doesn't actually deny them. In this case you can be sure that all actions you need to allow will appear in the log in just one run. To do this, edit /etc/selinux/config:

SELINUX=permissive

Reboot, then do the log collecting and SELinux module installation, as explained above. Once all done, set SELinux back to enforcing:

SELINUX=enforcing

Reboot, and you're good to go.

More details: SELinux Crash Course

if you installed endlessh from source you need to remove it and install it as an rpm package and then reconfigure it, it is supposed to work