Bug 2192154

Summary: selinux is blocking wireguard when trying to establish a connection via wg-quick
Product: Red Hat Enterprise Linux 9 Reporter: Stephan Hegemann <stephanhegemann>
Component: selinux-policyAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: CentOS StreamCC: bstinson, jwboyer, lvrabec, mmalik, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.1.14-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:52:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2023-05-30   
Attachments:
Description Flags
journalctl centos stream 9
none
redacted wireguard config
none
collected AVC denials none

Description Stephan Hegemann 2023-04-29 23:32:25 UTC 
Created attachment 1961104 [details]
journalctl centos stream 9

Description of problem:
Selinux blocks wg-quick from establishing a wireguard connection.
This is probably the same bug I also have on Fedora 38:
https://bugzilla.redhat.com/show_bug.cgi?id=2192140

After running "sudo setenforce 0" the connection can be established.

The wireguard config was created by ProtonVPN.

I will add the journalctl output from Centos Stream 9 and the redacted wireguard config as an attachment.


Version-Release number of selected component (if applicable):
38.1.11


How reproducible:
Always

Steps to Reproduce:
1. Get a wireguard config from ProtonVPN
2. (I commented out the "DNS" option in the config file)
3. Copy it to /etc/wireguard
4. Try to establish a connection by running "systemctl start wg-quick@config_name"

Actual results:
The wireguard connection cannot be established

Expected results:
The wireguard connection can be established

Additional info:
Comment 1 Stephan Hegemann 2023-04-29 23:33:13 UTC 
Created attachment 1961105 [details]
redacted wireguard config
Comment 2 Nikola Knazekova 2023-05-02 15:40:21 UTC 
Hi Stephan, 

Please reproduce the issue in permissive mode:

# setenforce 0

And collect AVC denials:
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Thank you
Comment 3 Stephan Hegemann 2023-05-02 20:22:45 UTC 
Hi,

did that, on a newly installed, fully updated CentOS Stream 9 machine. selinux-policy is now at version 38.1.12.
I will upload the output as an attachment.
Comment 4 Stephan Hegemann 2023-05-02 20:24:35 UTC 
Created attachment 1961807 [details]
collected AVC denials
Comment 5 Milos Malik 2023-05-10 06:48:26 UTC 
The attached SELinux denials indicate that the following rules are missing in SELinux policy:

allow wireguard_t sysctl_net_t : dir { search };
allow wireguard_t sysctl_net_t : file { getattr open write };
allow iptables_t wireguard_t : fifo_file { open };

The attached file also contains 1 SELinux denial related to plymouthd which is already reported as:
 * https://bugzilla.redhat.com/show_bug.cgi?id=2184803
Comment 12 Stephan Hegemann 2023-10-11 17:18:26 UTC 
So, I tested it on CentOS Stream 9 now and it works. Looks to me like the bug is fixed. Nice work, thank you 👍
Comment 15 errata-xmlrpc 2023-11-07 08:52:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6617