Bug 2176487

Summary: the wg-quick service is still broken in enforcing mode
Product: Red Hat Enterprise Linux 9 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 9.2CC: gerd, ikke, lvrabec, miabbott, mmalik, nknazeko, pvlasin, zpytela
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.1.9-1.el9_2 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2179025 (view as bug list) Environment:
Last Closed: 2023-05-09 08:17:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2179025    
Attachments:
Description Flags
Audit log as requested none

Description Milos Malik 2023-03-08 14:00:57 UTC 
Description of problem:
 * follow-up BZ based on https://bugzilla.redhat.com/show_bug.cgi?id=2149452#c36 and later comments

Version-Release number of selected component (if applicable):
selinux-policy-38.1.8-1.el9.noarch
selinux-policy-targeted-38.1.8-1.el9.noarch

Actual results:
----
type=PROCTITLE msg=audit(03/08/23 10:40:11.260:32085) : proctitle=ip link show dev cool-lab 
type=SYSCALL msg=audit(03/08/23 10:40:11.260:32085) : arch=x86_64 syscall=ioctl success=no exit=ENODEV(No such device) a0=0x4 a1=SIOCGIFINDEX a2=0x7ffd8ef87ce0 a3=0x9b items=0 ppid=32272 pid=32273 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ip exe=/usr/sbin/ip subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(03/08/23 10:40:11.260:32085) : avc:  denied  { sys_module } for  pid=32273 comm=ip capability=sys_module  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capability permissive=0 
----
type=USER_AVC msg=audit(03/08/23 10:40:11.394:32086) : pid=787 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(03/08/23 10:40:11.435:32087) : proctitle=ip link delete dev cool-lab 
type=SYSCALL msg=audit(03/08/23 10:40:11.435:32087) : arch=x86_64 syscall=sendmsg success=yes exit=32 a0=0x3 a1=0x7ffdc4b601f0 a2=0x0 a3=0x9b items=0 ppid=32267 pid=32295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ip exe=/usr/sbin/ip subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(03/08/23 10:40:11.435:32087) : avc:  denied  { search } for  pid=32295 comm=ip name=slab dev="debugfs" ino=10789 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 
----

Expected results:
 * no SELinux denials
 * the wg-quick service works in enforcing mode
Comment 2 Milos Malik 2023-03-08 14:26:42 UTC 
The SELinux denials listed in comment#0 appear after removing the dontaudit rules.

Here are the SELinux denials caught in permissive mode:
----
type=PROCTITLE msg=audit(03/08/2023 09:20:36.049:343) : proctitle=ip link delete dev ppp0 
type=SYSCALL msg=audit(03/08/2023 09:20:36.049:343) : arch=x86_64 syscall=sendmsg success=yes exit=32 a0=0x3 a1=0x7ffe74892a30 a2=0x0 a3=0x9b items=0 ppid=4704 pid=4711 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ip exe=/usr/sbin/ip subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(03/08/2023 09:20:36.049:343) : avc:  denied  { search } for  pid=4711 comm=ip name=slab dev="debugfs" ino=9932 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/08/2023 09:20:40.752:352) : proctitle=ip link show dev ppp0 
type=SYSCALL msg=audit(03/08/2023 09:20:40.752:352) : arch=x86_64 syscall=ioctl success=no exit=ENODEV(No such device) a0=0x4 a1=SIOCGIFINDEX a2=0x7ffc3bd7aec0 a3=0x16 items=0 ppid=4739 pid=4740 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ip exe=/usr/sbin/ip subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(03/08/2023 09:20:40.752:352) : avc:  denied  { sys_module } for  pid=4740 comm=ip capability=sys_module  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capability permissive=1 
----
Comment 3 Ilkka Tengvall 2023-03-08 14:31:35 UTC 
further info of where I face this:

This works:
sudo wg-quick up <profile>

This does not work:
sudo systemctl start wg-quick@<profile>
sudo nmcli connection up <profile>

My wg conf is:

------
[Interface]
Address = 10.254.251.102
PrivateKey = <privkey>
DNS = 10.128.1.10
[Peer]
PublicKey = <pubkey>
AllowedIPs = 10.128.1.0/24, 10.128.2.0/24, 10.128.3.0/24, 10.128.4.0/24
Endpoint = <server-ip>:51820
PersistentKeepalive = 25
------
Comment 4 Milos Malik 2023-03-08 17:42:48 UTC 
@ikke I would like you to test a special policy module in enforcing mode:

# setenforce 1
# cat testpolicy.cil 
( allow wireguard_t wireguard_t ( capability ( sys_module )))
( allow wireguard_t system_dbusd_t ( dbus ( send_msg )))
( allow wireguard_t debugfs_t ( dir ( search )))

# semodule -i testpolicy.cil 
#

Please re-run your scenario (systemctl start wg-quick@<profile>) and let us know if it works.

Please collect SELinux denials if they appear:

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

The following command removes the policy module shown above:

# semodule -r testpolicy
#

Thank you.
Comment 5 Ilkka Tengvall 2023-03-08 20:34:23 UTC 
Created attachment 1949149 [details]
Audit log as requested

Here are the commands:

------------
[coolboy@apu ~]$ cat testpolicy.cil
( allow wireguard_t wireguard_t ( capability ( sys_module )))
( allow wireguard_t system_dbusd_t ( dbus ( send_msg )))
( allow wireguard_t debugfs_t ( dir ( search )))
[coolboy@apu ~]$ getenforce
Enforcing
[coolboy@apu ~]$ sudo semodule -i testpolicy.cil
[coolboy@apu ~]$ date
Wed Mar  8 22:28:02 EET 2023
[coolboy@apu ~]$ sudo systemctl start wg-quick@cool-lab
[coolboy@apu ~]$ sudo wg
interface: cool-lab
  public key: xxx
  private key: (hidden)
  listening port: 37170

peer: xxx
  endpoint: xxx:51820
  allowed ips: 10.128.1.0/24, 10.128.2.0/24, 10.128.3.0/24, 10.128.4.0/24
  latest handshake: 3 seconds ago
  transfer: 92 B received, 180 B sent
  persistent keepalive: every 25 seconds
[coolboy@apu ~]$ sudo ausearch -m avc -m user_avc -m selinux_err -i -ts 03/08/23 22:28 > audit.txt
------------

see attached audit.txt.

It worked \o/ , not going to remove the policy :D
Comment 21 errata-xmlrpc 2023-05-09 08:17:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2483