quentin9696
commented
1 year ago Related issue: https://github.com/coreos/fedora-coreos-tracker/issues/1487
Open quentin9696 opened 1 year ago
quentin9696
commented
1 year ago Related issue: https://github.com/coreos/fedora-coreos-tracker/issues/1487
Hello,
In was using fedora coreos f37. I decide to migrate to coreos f38 since it's the new stable stream.
In the past, I had no issue because wireguard and wg-quick was using
bin_tcontext. Since F38, it's using the new contextwireguard_exec_t.In my wg-quick config file, I use the directive
PostUp = wg set %i private-key <(/usr/bin/systemd-creds decrypt /path/to/my/secret. This allow me to load my credential at the runtime and this avoid to leak private keys.Because there is a new policy for wireguard, I got an issue with F38. When I disable SELinux, everything is working well.
I got this issue:
AVC avc: denied { read } for pid=6985 comm="systemd-creds" name="WGPrivateKey" dev="tmpfs" ino=5161 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=I think it would be nice to create an optional policy to allow wg-quick to fetch a secret from systemd-creds.
I'm new to SE-linux so I'm open any suggestion to create the PR to make the optional policy to allow
wireguard_tto fetch secret fromvar_run_tAccording to systemd creds documentation, the standard path where the secret is load are
/run/credstore.encrypted/,/etc/credstore.encrypted/, and/usr/lib/credstore.encrypted/