In was using fedora coreos f37. I decide to migrate to coreos f38 since it's the new stable stream.
In the past, I had no issue because wireguard and wg-quick was using bin_t context. Since F38, it's using the new context wireguard_exec_t.
In my wg-quick config file, I use the directive PostUp = wg set %i private-key <(/usr/bin/systemd-creds decrypt /path/to/my/secret. This allow me to load my credential at the runtime and this avoid to leak private keys.
Because there is a new policy for wireguard, I got an issue with F38. When I disable SELinux, everything is working well.
I got this issue: AVC avc: denied { read } for pid=6985 comm="systemd-creds" name="WGPrivateKey" dev="tmpfs" ino=5161 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=
I think it would be nice to create an optional policy to allow wg-quick to fetch a secret from systemd-creds.
I'm new to SE-linux so I'm open any suggestion to create the PR to make the optional policy to allow wireguard_t to fetch secret from var_run_t
According to systemd creds documentation, the standard path where the secret is load are /run/credstore.encrypted/, /etc/credstore.encrypted/, and /usr/lib/credstore.encrypted/
Hello,
In was using fedora coreos f37. I decide to migrate to coreos f38 since it's the new stable stream.
In the past, I had no issue because wireguard and wg-quick was using
bin_t
context. Since F38, it's using the new contextwireguard_exec_t
.In my wg-quick config file, I use the directive
PostUp = wg set %i private-key <(/usr/bin/systemd-creds decrypt /path/to/my/secret
. This allow me to load my credential at the runtime and this avoid to leak private keys.Because there is a new policy for wireguard, I got an issue with F38. When I disable SELinux, everything is working well.
I got this issue:
AVC avc: denied { read } for pid=6985 comm="systemd-creds" name="WGPrivateKey" dev="tmpfs" ino=5161 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=
I think it would be nice to create an optional policy to allow wg-quick to fetch a secret from systemd-creds.
I'm new to SE-linux so I'm open any suggestion to create the PR to make the optional policy to allow
wireguard_t
to fetch secret fromvar_run_t
According to systemd creds documentation, the standard path where the secret is load are
/run/credstore.encrypted/
,/etc/credstore.encrypted/
, and/usr/lib/credstore.encrypted/