search

fedora-silverblue / issue-tracker

Fedora Silverblue issue tracker
https://fedoraproject.org/atomic-desktops/silverblue/
126 stars 3 forks source link

wg-quick systemd service SELinux denial #462

Closed Geomancer626 closed 1 year ago

Geomancer626 commented 1 year ago

Describe the bug Attempting to start a Wireguard tunnel through the systemd service results in a permission denied error for nft attempting to access /dev/fd/63. The tunnel is successfully created when issued through the wg-quick command instead of the systemd service "wg-quick up 'config name'. Setting SELinux to permissive allows the systemd service to function normally. SELinux audit logs show the following denials. 

----
time->Mon Apr 24 11:26:10 2023
type=AVC msg=audit([1682353570.797:274):](http://1682353570.797:274%29/) avc:  denied  { open } for  pid=5141 comm="nft" path="pipe:[43954]" dev="pipefs" ino=43954 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=fifo_file permissive=1
----
time->Mon Apr 24 11:26:10 2023
type=AVC msg=audit([1682353570.809:276):](http://1682353570.809:276%29/) avc:  denied  { search } for  pid=5147 comm="sysctl" name="net" dev="proc" ino=21653 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1
----
time->Mon Apr 24 11:26:10 2023
type=AVC msg=audit([1682353570.809:277):](http://1682353570.809:277%29/) avc:  denied  { getattr } for  pid=5147 comm="sysctl" path="/proc/sys/net/ipv4/conf/all/src_valid_mark" dev="proc" ino=39650 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
time->Mon Apr 24 11:26:10 2023
type=AVC msg=audit([1682353570.809:278):](http://1682353570.809:278%29/) avc:  denied  { write } for  pid=5147 comm="sysctl" name="src_valid_mark" dev="proc" ino=39650 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
time->Mon Apr 24 11:26:10 2023
type=AVC msg=audit([1682353570.809:279):](http://1682353570.809:279%29/) avc:  denied  { open } for  pid=5147 comm="sysctl" path="/proc/sys/net/ipv4/conf/all/src_valid_mark" dev="proc" ino=39650 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
time->Mon Apr 24 11:26:37 2023
type=AVC msg=audit([1682353597.339:291):](http://1682353597.339:291%29/) avc:  denied  { open } for  pid=5292 comm="nft" path="pipe:[44951]" dev="pipefs" ino=44951 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=fifo_file permissive=1
----
time->Mon Apr 24 11:28:41 2023
type=AVC msg=audit([1682353721.189:310):](http://1682353721.189:310%29/) avc:  denied  { open } for  pid=5413 comm="nft" path="pipe:[41534]" dev="pipefs" ino=41534 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=fifo_file permissive=0

To Reproduce

  1. execute systemctl start wg-quick@configname

Expected behavior The Wireguard tunnel is successfully created.

OS version:

State: idle
AutomaticUpdates: stage; [rpm-ostreed-automatic.timer:](http://rpm-ostreed-automatic.timer/) last run 20min ago
BootedDeployment:
● fedora:fedora/38/x86_64/silverblue
                  Version: [38.20230424.0](http://38.20230424.0/) (2023-04-24T01:59:45Z)
               BaseCommit: 6a288fa88c672a87dca40c44a9b4449e22e1c87c1acb4002f98d0c8b44e40885
             GPGSignature: Valid signature by 6A51BBABBA3D5467B6171221809A8D7CEB10B464
      RemovedBasePackages: mesa-va-drivers [23.0.2-2.fc38](http://23.0.2-2.fc38/)
          LayeredPackages: bat bridge-utils exa fish gnome-shell-extension-pop-shell gnome-tweaks gstreamer1-plugins-bad-free-extras gstreamer1-plugins-bad-freeworld gstreamer1-plugins-ugly gstreamer1-vaapi
                           libappindicator-gtk3 libguestfs-tools libva-utils libvirt mesa-va-drivers-freeworld mesa-vdpau-drivers-freeworld numix-icon-theme-circle papirus-icon-theme python3-nautilus python3-pip
                           qemu-kvm rpmfusion-free-release rpmfusion-nonfree-release steam-devices tilix virt-install virt-manager virt-top wireguard-tools yubikey-manager yubikey-manager-qt
                Initramfs: --force-add tpm2-tss
mooreye commented 1 year ago

Encountered this too. Is there a known workaround?

travier commented 1 year ago

Please file a bug in bugzilla for the SELinux policy.

Segment0895 commented 1 year ago

@Geomancer626 @mooreye please link here when you create the bug on Fedora's bugzilla, please, or state if you haven't. Also having this issue, using the big hammer to avoid it ( setenforce 0 ), would prefer to use a finer-grained approach. Thanks!

Geomancer626 commented 1 year ago

@Segment0895 @mooreye Sorry for the delay. I did not create a new report on the Fedora bugzilla as I turned up two existing entries by the time I went to report. They can be located at the following URLs and have better solutions which involve altering the SElinux policy for Wireguard. Follow the instructions in either report to get it functioning again.