Bug 2192140

Summary: selinux is blocking wireguard when trying to establish a connection via wg-quick
Product: [Fedora] Fedora Reporter: Stephan Hegemann <stephanhegemann>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED COMPLETED QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 38CC: dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-10-11 16:33:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
journalctl fedora 38
none
journalctl centos stream 9
none
redacted wireguard config none

Description Stephan Hegemann 2023-04-29 21:40:13 UTC 
The problem only came after upgrading to Fedora 38. In Fedora 37, it worked fine with the exact same wireguard config.
First, wg-quick could not access the config file in /etc/wireguard. I solved that problem by running "sudo touch /.autorelabel" and rebooting.

But the actual problem is, that now, despite it being able to access the config file in /etc/wireguard, wg-quick still crashes due to selinux. I verified this by trying again after running "sudo setenforce 0", then, the connection could be established.

The wireguard config was created by ProtonVPN.

I do have the exact same problem on CentOS Stream 9.

I will add the journalctl output from Fedora 38 and Centos Stream 9 and the redacted wireguard config as an attachment.

My selinux-policy version is: 38.12

Reproducible: Always

Steps to Reproduce:
1. Get a wireguard config from ProtonVPN
2. (I commented out the "DNS" option in the config file)
3. Copy it to /etc/wireguard
4. Try to establish a connection by running "systemctl start wg-quick@config_name"
Actual Results:  
The wireguard connection cannot be established

Expected Results:  
The wireguard connection can be established

[root@tx1 ~]# ls -lZ /etc/wireguard/swiss.conf
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 376  1. Apr 12:25 /etc/wireguard/swiss.conf
Comment 1 Stephan Hegemann 2023-04-29 21:43:24 UTC 
Created attachment 1961088 [details]
journalctl fedora 38
Comment 2 Stephan Hegemann 2023-04-29 21:44:12 UTC 
Created attachment 1961089 [details]
journalctl centos stream 9
Comment 3 Stephan Hegemann 2023-04-29 21:45:51 UTC 
Created attachment 1961090 [details]
redacted wireguard config
Comment 4 Stephan Hegemann 2023-04-29 23:43:35 UTC 
I decided it would make more sense to file the bug separately for CentOS Stream 9, instead of just mentioning it here.
https://bugzilla.redhat.com/show_bug.cgi?id=2192154
Comment 5 Stephan Hegemann 2023-10-11 16:33:01 UTC 
So, I tested it on Fedora 38 now and it works. Thank you, nice work 👍