Bug 2211305

Summary: SELinux is preventing wg-quick from using the 'dac_override' capabilities.
Product: [Fedora] Fedora Reporter: vavus44375
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED COMPLETED QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: low    
Version: 38CC: dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vavus44375, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---Flags: zpytela: needinfo? (vavus44375)
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:d2c60a299de46de06030aa4b6485f8424e09e0fe51a911a1ac3356c102bd8c14;VARIANT_ID=kde;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-10 09:20:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: description
none
File: os_info none

Description vavus44375 2023-05-31 05:21:47 UTC 
Description of problem:
systemctl enable wg-quick@<wg_conf>

Calling 'wg-quick up <wg_conf>' manually does not lead to an error, the problems are only in adding the service
SELinux is preventing wg-quick from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

Если вы хотите помочь определить, нужен ли домену этот доступ или у вас есть файл с неправильными разрешениями в вашей системе
Then включите полный аудит, чтобы определить путь к конфликтному файлу и повторно сгенерировать ошибку.
Do

Включите аудит:
# auditctl -w /etc/shadow -p w
Попытайтесь заново создать AVC, после чего выполните:
# ausearch -m avc -ts recent
Если запись PATH осуществляет проверку разрешений файла, исправьте это,  
в противном случае создайте запрос в Bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

Если вы считаете, что wg-quick должен иметь dac_override по умолчанию.
Then рекомендуется создать отчет об ошибке.
Чтобы разрешить доступ, можно создать локальный модуль политики.
Do
разрешить этот доступ сейчас, выполнив:
# ausearch -c 'wg-quick' --raw | audit2allow -M my-wgquick
# semodule -X 300 -i my-wgquick.pp

Additional Information:
Source Context                system_u:system_r:wireguard_t:s0
Target Context                system_u:system_r:wireguard_t:s0
Target Objects                Неизвестно [ capability ]
Source                        wg-quick
Source Path                   wg-quick
Port                          <Неизвестно>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.12-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.12-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              6.4.0-0.0.next.20230522.327.vanilla.fc38.x86_64 #1
                              SMP PREEMPT_DYNAMIC Mon May 22 05:35:14 UTC 2023
                              x86_64
Alert Count                   50
First Seen                    2023-05-12 10:15:41 MSK
Last Seen                     2023-05-30 23:04:03 MSK
Local ID                      78056a27-5af9-4ec0-8f8e-15b8c5d73cc5

Raw Audit Messages
type=AVC msg=audit(1685477043.602:145): avc:  denied  { dac_override } for  pid=1195 comm="wg-quick" capability=1  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capability permissive=0


Hash: wg-quick,wireguard_t,wireguard_t,capability,dac_override

Version-Release number of selected component:
selinux-policy-targeted-38.12-1.fc38.noarch

Additional info:
reporter:       libreport-2.17.10
reason:         SELinux is preventing wg-quick from using the 'dac_override' capabilities.
package:        selinux-policy-targeted-38.12-1.fc38.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.4.0-0.0.next.20230522.327.vanilla.fc38.x86_64
component:      selinux-policy
Comment 1 vavus44375 2023-05-31 05:21:49 UTC 
Created attachment 1967999 [details]
File: description
Comment 2 vavus44375 2023-05-31 05:21:51 UTC 
Created attachment 1968000 [details]
File: os_info
Comment 3 Zdenek Pytela 2023-05-31 06:41:44 UTC 
The dac_override capability is requested on an access attempt where DAC permission do not allow this access and usually indicate a problem with the permissions. Please follow the recommendations of the restorecon plugin to turn on full auditing and when reproduced again, check permissions for the file or directory, or look at the most likely destination:

ls -lRaZ /etc/wireguard/