Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2149452

Summary: wireguard-tools-1.0.20210914-2 won't start with selinux enable after upgrading to 9.1
Product: Red Hat Enterprise Linux 9 Reporter: Sherif Nagy <sherif.nagy>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.1CC: bkeys, cgoncalves, cory.bolar, davide.principi, gerd, ikke, lvrabec, mmalik, neil, network-qe, seth, tjb, xoxys, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.1.5-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 08:16:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sherif Nagy 2022-11-29 23:28:08 UTC 
Description of problem:
Wireguard won't start after upgrade to latest RHEL release 9.1, seems like selinux issue

Version-Release number of selected component (if applicable):
wireguard-tools-1.0.20210914 and RHEL 9.1

How reproducible:
Install wireugard-tools, configure a server, try to start the service, fails

Steps to Reproduce:
1. dnf install wireguard-tools
2. configure a wireguard server
3. systemctl start wg-quick

Actual results:
Service fails with this error:

ââ Subject: A start job for unit wg-quick has begun execution
ââ Defined-By: systemd
ââ Support: https://access.redhat.com/support
ââ 
ââ A start job for unit wg-quick has begun execution.
ââ 
ââ The job identifier is 1317.
Nov 29 23:17:35 localhost.localdomain wg-quick[4801]: [#] ip link add wg0 type wireguard
Nov 29 23:17:35 localhost.localdomain wg-quick[4801]: [#] wg setconf wg0 /dev/fd/63
Nov 29 23:17:35 localhost.localdomain wg-quick[4801]: [#] ip -4 address add 10.81.40.1/24 dev wg0
Nov 29 23:17:35 localhost.localdomain wg-quick[4801]: [#] ip link set mtu 1368 up dev wg0
Nov 29 23:17:35 localhost.localdomain wg-quick[4819]: [#] resolvconf -a wg0 -m 0 -x
Nov 29 23:17:35 localhost.localdomain wg-quick[4821]: sd_bus_open_system: Permission denied
Nov 29 23:17:35 localhost.localdomain wg-quick[4801]: [#] ip link delete dev wg0
Nov 29 23:17:35 localhost.localdomain systemd[1]: wg-quick: Main process exited, code=exited, status=1/FAILURE
ââ Subject: Unit process exited
ââ Defined-By: systemd
ââ Support: https://access.redhat.com/support
ââ 
ââ An ExecStart= process belonging to unit wg-quick has exited.
ââ 
ââ The process' exit code is 'exited' and its exit status is 1.


Expected results:

Service should boot okay

Additional info:
Checking the audit.log shows that selinux prevents wireguard services from boot, so I ran:
grep wireguard /var/log/audit/audit.log | audit2allow -M wireguard which generated 

[root@localhost ~]# cat wireguard.te 

module wireguard 1.0;

require {
	type syslogd_var_run_t;
	type wireguard_t;
	type kmsg_device_t;
	type system_dbusd_var_run_t;
	class udp_socket create;
	class dir search;
	class chr_file write;
}

#============= wireguard_t ==============

#!!!! This avc can be allowed using the boolean 'domain_can_write_kmsg'
allow wireguard_t kmsg_device_t:chr_file write;
allow wireguard_t self:udp_socket create;
allow wireguard_t syslogd_var_run_t:dir search;
allow wireguard_t system_dbusd_var_run_t:dir search;


however applying this file shows that type attributes resolve fails, as below 

[root@localhost ~]# semodule -i wireguard.pp  -v 
Attempting to install module 'wireguard.pp':
libsemanage.semanage_direct_install_info: Overriding wireguard module at lower priority 100 with module at priority 400.
Ok: return value of 0.
Committing changes:
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/wireguard/cil:2
Failed to resolve AST
semodule:  Failed!
[root@localhost ~]# 

Services starts fine when selinux is disabled / permissive or the wireguard policy is disabled
Comment 1 Thomas J. Baker 2022-11-30 00:28:37 UTC 
I have a similar selinux related wg-quick systemd problem. My client config wg0.conf has an endpoint that has an FQDN which seems can't be resolved. Starting the same config using just "wg-quick up wg0" works as does running "systemctl start wg-quick@wg0" with selinux in permissive mode. 

"systemctl start wg-quick@wg0" produces these selinux errors:

ype=AVC msg=audit(1669576304.328:51): avc:  denied  { getattr } for  pid=1455 comm="wg" path="/etc/resolv.conf" dev="dm-0" ino=67236551 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
type=AVC msg=audit(1669576304.328:52): avc:  denied  { read } for  pid=1455 comm="wg" name="resolv.conf" dev="dm-0" ino=67236551 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
type=AVC msg=audit(1669576304.328:53): avc:  denied  { read } for  pid=1455 comm="wg" name="hosts" dev="dm-0" ino=67243950 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
type=AVC msg=audit(1669576304.328:54): avc:  denied  { create } for  pid=1455 comm="wg" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=udp_socket permissive=0
type=AVC msg=audit(1669576304.328:55): avc:  denied  { create } for  pid=1455 comm="wg" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=udp_socket permissive=0


The audit2allow policy from the resuling AVCs is minimal:

#============= wireguard_t ==============
allow wireguard_t net_conf_t:file { getattr open read };
allow wireguard_t self:udp_socket { connect create getattr setopt };
Comment 2 Thomas J. Baker 2022-11-30 00:30:42 UTC 
I should add that this is a regression from EL 9.0 where it worked fine.
Comment 3 Hangbin Liu 2022-11-30 01:47:57 UTC 
Thanks for the report. We have noticed the SELinux would prevent wg from running firewalld-cmd or DNS lookup options. Start wireguard with SELinux in permissive mode, or just disabling wireguard policy is a workaround.
We are discussing with SELinux team if we can add an exception for this issue.
Comment 6 Hangbin Liu 2022-11-30 09:58:26 UTC 
(In reply to Thomas J. Baker from comment #1)
> I have a similar selinux related wg-quick systemd problem. My client config
> wg0.conf has an endpoint that has an FQDN which seems can't be resolved.
> Starting the same config using just "wg-quick up wg0" works as does running
> "systemctl start wg-quick@wg0" with selinux in permissive mode. 

Hi Thomas,

Would you like to share you wg config file so we can know which cmd makes SELinux block wg start?

Thanks
Hangbin
Comment 7 Thomas J. Baker 2022-11-30 12:08:01 UTC 
The config is very simple and would need most directives redacted any way. 


When starting via systemd with selinux on, it errors out on the endpoint line:

wg-quick[2641]: Name or service not known: <FQDN>:51280

so selinux is blocking it from resolving the ip address from the domain name of the server. 


As an experiment, I just changed the FQDN to the ip address and it started without problems via systemd with selinux on. I just want to specify the FQDN as it occasionally changes. 


Also, how do you disable just the wireguard selinux policy?
Comment 8 Milos Malik 2022-11-30 15:21:32 UTC 
The following command does NOT disable SELinux policy for wireguard, but the wireguard policy is switched to permissive mode while the rest of the system remains in enforcing mode:

# semanage permissive -a wireguard_t

Let us know which SELinux denials appear during your test scenarios.

To switch the wireguard policy back to enforcing mode, please use the following command:

# semanage permissive -d wireguard_t
Comment 9 Thomas J. Baker 2022-11-30 15:40:36 UTC 
The selinux AVCs are in comment #1. Let me know if you need anything else.
Comment 10 Milos Malik 2022-11-30 15:53:57 UTC 
The list of SELinux denials which appear in enforcing mode usually differs from the list of SELinux denials which appear in permissive mode.

Please run the following command on the machine affected by the wireguard problems.

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

The command finds more details about each of the SELinux denials.

The details gathered by ausearch are important for creating the right fix in SELinux policy.

Thank you.
Comment 11 Thomas J. Baker 2022-11-30 19:00:23 UTC 
Here you go - 

[root@freeside wireguard]# systemctl restart wg-quick@bc
Job for wg-quick failed because the control process exited with error code.
See "systemctl status wg-quick" and "journalctl -xeu wg-quick" for details.
[root@freeside wireguard]# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=PROCTITLE msg=audit(11/30/2022 13:52:37.383:9490) : proctitle=wg setconf bc /dev/fd/63 
type=SYSCALL msg=audit(11/30/2022 13:52:37.383:9490) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f5e4b149a8d a2=0x7fff5be2eda0 a3=0x0 items=0 ppid=21844 pid=21855 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wg exe=/usr/bin/wg subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(11/30/2022 13:52:37.383:9490) : avc:  denied  { getattr } for  pid=21855 comm=wg path=/etc/resolv.conf dev="dm-0" ino=67236551 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(11/30/2022 13:52:37.383:9491) : proctitle=wg setconf bc /dev/fd/63 
type=SYSCALL msg=audit(11/30/2022 13:52:37.383:9491) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f5e4b149a8d a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=21844 pid=21855 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wg exe=/usr/bin/wg subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(11/30/2022 13:52:37.383:9491) : avc:  denied  { read } for  pid=21855 comm=wg name=resolv.conf dev="dm-0" ino=67236551 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(11/30/2022 13:52:37.383:9492) : proctitle=wg setconf bc /dev/fd/63 
type=SYSCALL msg=audit(11/30/2022 13:52:37.383:9492) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f5e4b149d98 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=21844 pid=21855 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wg exe=/usr/bin/wg subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(11/30/2022 13:52:37.383:9492) : avc:  denied  { read } for  pid=21855 comm=wg name=hosts dev="dm-0" ino=67243950 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(11/30/2022 13:52:37.383:9493) : proctitle=wg setconf bc /dev/fd/63 
type=SYSCALL msg=audit(11/30/2022 13:52:37.383:9493) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_DGRAM a2=ip a3=0x55dc415c5b90 items=0 ppid=21844 pid=21855 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wg exe=/usr/bin/wg subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(11/30/2022 13:52:37.383:9493) : avc:  denied  { create } for  pid=21855 comm=wg scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=udp_socket permissive=0 
----
type=PROCTITLE msg=audit(11/30/2022 13:52:37.383:9494) : proctitle=wg setconf bc /dev/fd/63 
type=SYSCALL msg=audit(11/30/2022 13:52:37.383:9494) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_DGRAM a2=ip a3=0x1 items=0 ppid=21844 pid=21855 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wg exe=/usr/bin/wg subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(11/30/2022 13:52:37.383:9494) : avc:  denied  { create } for  pid=21855 comm=wg scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=udp_socket permissive=0 
[root@freeside wireguard]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
[root@freeside wireguard]#
Comment 13 Nikola Knazekova 2023-01-12 14:42:00 UTC 
*** Bug 2129438 has been marked as a duplicate of this bug. ***
Comment 34 Hangbin Liu 2023-03-01 07:01:17 UTC 
*** Bug 2174294 has been marked as a duplicate of this bug. ***
Comment 35 Hangbin Liu 2023-03-06 09:45:06 UTC 
*** Bug 2175640 has been marked as a duplicate of this bug. ***
Comment 36 Ilkka Tengvall 2023-03-07 14:54:27 UTC 
Hi,

I believe this might be broken still. I don't get wireguard working even with the latest selinux-polixy from centos stream 9.

-----
[coolboy@apu ~]$ sudo tail -f /var/log/audit/audit.log| grep denied
^Z
[1]+  Stopped                 sudo tail -f /var/log/audit/audit.log | grep --color=auto denied
[coolboy@apu ~]$ bg
[1]+ sudo tail -f /var/log/audit/audit.log | grep --color=auto denied &
[coolboy@apu ~]$
[coolboy@apu ~]$ sudo systemctl start wg-quick@cool-lab
type=AVC msg=audit(1678200405.139:777): avc:  denied  { write } for  pid=5434 comm="resolvconf" name="socket" dev="tmpfs" ino=51 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1678200405.140:778): avc:  denied  { write } for  pid=5434 comm="resolvconf" name="system_bus_socket" dev="tmpfs" ino=893 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0
Job for wg-quick failed because the control process exited with error code.
See "systemctl status wg-quick" and "journalctl -xeu wg-quick" for details.
-----

with audit2allow:

-----
[coolboy@apu ~]$ sudo ausearch -c 'resolvconf' --raw| audit2allow
#============= wireguard_t ==============
allow wireguard_t syslogd_var_run_t:sock_file write;
allow wireguard_t system_dbusd_var_run_t:sock_file write;
-----

I have RHEL 9.1 Edge image installed on my box. I did these steps to manually upgrade the selinux to try this out:

-----
curl -O https://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/selinux-policy-38.1.8-1.el9.noarch.rpm
curl -O https://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/selinux-policy-targeted-38.1.8-1.el9.noarch.rpm
sudo ostree admin unlock --hotfix
sudo rpm -Uvh selinux-policy-*
sudo reboot
-----
Comment 37 Ilkka Tengvall 2023-03-07 15:22:55 UTC 
Just for the record, all the settings I've done:
----
[coolboy@apu ~]$ cat resolve-6.te 

module resolve-6 1.0;

require {
        type syslogd_var_run_t;
        type kernel_t;
        type system_dbusd_var_run_t;
        type system_dbusd_t;
        type wireguard_t;
        class sock_file write;
        class dir search;
        class unix_dgram_socket sendto;
        class unix_stream_socket connectto;
}

#============= wireguard_t ==============

#!!!! This avc is allowed in the current policy
allow wireguard_t kernel_t:unix_dgram_socket sendto;

#!!!! This avc is allowed in the current policy
allow wireguard_t syslogd_var_run_t:dir search;

#!!!! This avc is allowed in the current policy
allow wireguard_t syslogd_var_run_t:sock_file write;

#!!!! This avc is allowed in the current policy
allow wireguard_t system_dbusd_t:unix_stream_socket connectto;

#!!!! This avc is allowed in the current policy
allow wireguard_t system_dbusd_var_run_t:dir search;

#!!!! This avc is allowed in the current policy

-----

with selinux of the tunnel works
Comment 38 Milos Malik 2023-03-08 07:09:15 UTC 
All rules listed in comment#36 and comment#37 are already present in the latest selinux-policy build:

# rpm -qa selinux\*
selinux-policy-38.1.8-1.el9.noarch
selinux-policy-targeted-38.1.8-1.el9.noarch
# sesearch -s wireguard_t -t kernel_t -c unix_dgram_socket -p sendto -A
allow wireguard_t kernel_t:unix_dgram_socket sendto;
# sesearch -s wireguard_t -t syslogd_var_run_t -c dir -p search -A
allow wireguard_t pidfile:dir { getattr open search };
# sesearch -s wireguard_t -t syslogd_var_run_t -c sock_file -p write -A
allow wireguard_t syslogd_var_run_t:sock_file { append getattr open write };
# sesearch -s wireguard_t -t system_dbusd_t -c unix_stream_socket -p connectto -A
allow wireguard_t system_dbusd_t:unix_stream_socket connectto;
# sesearch -s wireguard_t -t system_dbusd_var_run_t -c dir -p search -A
allow wireguard_t pidfile:dir { getattr open search };
# sesearch -s wireguard_t -t system_dbusd_var_run_t -c sock_file -p write -A
allow wireguard_t system_dbusd_var_run_t:sock_file { append getattr open write };
#
Comment 39 Ilkka Tengvall 2023-03-08 07:22:02 UTC 
It does not work still even if this version of rpm is installed, and such rules added manually. It works if I disable selinux. This is one of those things where selinux prevents stuff working, but doesn't log about it
Comment 40 Milos Malik 2023-03-08 08:16:16 UTC 
Please remove the dontaudit rules:

# semodule -DB

re-run your scenario, collect SELinux denials

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

and paste them here.

Thank you.
Comment 42 Milos Malik 2023-03-08 10:18:48 UTC 
I inspected the attached file and found the following SELinux denials which are directly related to wireguard:
----
type=PROCTITLE msg=audit(03/08/23 10:40:11.260:32085) : proctitle=ip link show dev cool-lab 
type=SYSCALL msg=audit(03/08/23 10:40:11.260:32085) : arch=x86_64 syscall=ioctl success=no exit=ENODEV(No such device) a0=0x4 a1=SIOCGIFINDEX a2=0x7ffd8ef87ce0 a3=0x9b items=0 ppid=32272 pid=32273 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ip exe=/usr/sbin/ip subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(03/08/23 10:40:11.260:32085) : avc:  denied  { sys_module } for  pid=32273 comm=ip capability=sys_module  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capability permissive=0 
----
type=USER_AVC msg=audit(03/08/23 10:40:11.394:32086) : pid=787 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(03/08/23 10:40:11.435:32087) : proctitle=ip link delete dev cool-lab 
type=SYSCALL msg=audit(03/08/23 10:40:11.435:32087) : arch=x86_64 syscall=sendmsg success=yes exit=32 a0=0x3 a1=0x7ffdc4b601f0 a2=0x0 a3=0x9b items=0 ppid=32267 pid=32295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ip exe=/usr/sbin/ip subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(03/08/23 10:40:11.435:32087) : avc:  denied  { search } for  pid=32295 comm=ip name=slab dev="debugfs" ino=10789 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 
----

Let's deal with them in a new BZ.
Comment 43 Milos Malik 2023-03-08 14:02:30 UTC 
New BZ was filed to address the SELinux denials shown in the latest comment:
 * https://bugzilla.redhat.com/show_bug.cgi?id=2176487
Comment 44 Gerd v. Egidy 2023-03-08 14:44:15 UTC 
@Milos

Access to the new bug #2176487 seems to be restricted. Since this issue affects me I would like to stay informed about the progress and add me to it's CC list.

Would it be possible to change the access settings to this bz entry to public?

Thanks.
Comment 45 xoxys 2023-03-14 09:47:24 UTC 
(In reply to Milos Malik from comment #40)

DNS resolution for e.g. `Endpoint = vpn.example.com:51820` is still not working.

Mar 14 10:39:45 ramhorn systemd-udevd[15070]: Using default interface naming scheme 'rhel-9.1'.
Mar 14 10:39:45 ramhorn wg-quick[15097]: Name or service not known: `vpn.example.com:51820'
Mar 14 10:39:45 ramhorn wg-quick[15097]: Configuration parsing error
Mar 14 10:39:45 ramhorn wg-quick[15082]: [#] ip link delete dev wg0
Mar 14 10:39:45 ramhorn systemd[1]: wg-quick: Main process exited, code=exited, status=1/FAILURE
Mar 14 10:39:45 ramhorn systemd[1]: wg-quick: Failed with result 'exit-code'.
Mar 14 10:39:45 ramhorn systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.


As this seems to be related to an SELinux issue accessing `/etc/resolv.conf`, this doesn't seem to be covered by #2176487?

----
type=PROCTITLE msg=audit(03/14/2023 10:39:45.225:24729) : proctitle=wg setconf wg0 /dev/fd/63 
type=SYSCALL msg=audit(03/14/2023 10:39:45.225:24729) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet6 a1=SOCK_DGRAM a2=ip a3=0x7fff0bbc3700 items=0 ppid=15082 pid=15097 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wg exe=/usr/bin/wg subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(03/14/2023 10:39:45.225:24729) : avc:  denied  { create } for  pid=15097 comm=wg scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=udp_socket permissive=0 
----
type=PROCTITLE msg=audit(03/14/2023 10:39:45.227:24730) : proctitle=wg setconf wg0 /dev/fd/63 
type=SYSCALL msg=audit(03/14/2023 10:39:45.227:24730) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_DGRAM a2=ip a3=0x7fff0bbc3700 items=0 ppid=15082 pid=15097 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wg exe=/usr/bin/wg subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(03/14/2023 10:39:45.227:24730) : avc:  denied  { create } for  pid=15097 comm=wg scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=udp_socket permissive=0 
----
type=PROCTITLE msg=audit(03/14/2023 10:39:45.227:24731) : proctitle=wg setconf wg0 /dev/fd/63 
type=PATH msg=audit(03/14/2023 10:39:45.227:24731) : item=0 name=/etc/resolv.conf inode=4194438 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=SYSCALL msg=audit(03/14/2023 10:39:45.227:24731) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f2985509a8d a2=0x7fff0bbc33d0 a3=0x0 items=1 ppid=15082 pid=15097 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wg exe=/usr/bin/wg subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(03/14/2023 10:39:45.227:24731) : avc:  denied  { getattr } for  pid=15097 comm=wg path=/etc/resolv.conf dev="dm-0" ino=4194438 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(03/14/2023 10:39:45.227:24732) : proctitle=wg setconf wg0 /dev/fd/63 
type=PATH msg=audit(03/14/2023 10:39:45.227:24732) : item=0 name=/etc/resolv.conf inode=4194438 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=SYSCALL msg=audit(03/14/2023 10:39:45.227:24732) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f2985509a8d a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=15082 pid=15097 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wg exe=/usr/bin/wg subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(03/14/2023 10:39:45.227:24732) : avc:  denied  { read } for  pid=15097 comm=wg name=resolv.conf dev="dm-0" ino=4194438 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(03/14/2023 10:39:45.227:24733) : proctitle=wg setconf wg0 /dev/fd/63 
type=PATH msg=audit(03/14/2023 10:39:45.227:24733) : item=0 name=/etc/hosts inode=4194446 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=SYSCALL msg=audit(03/14/2023 10:39:45.227:24733) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f2985509d98 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=15082 pid=15097 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wg exe=/usr/bin/wg subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(03/14/2023 10:39:45.227:24733) : avc:  denied  { read } for  pid=15097 comm=wg name=hosts dev="dm-0" ino=4194446 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(03/14/2023 10:39:45.227:24734) : proctitle=wg setconf wg0 /dev/fd/63 
type=SYSCALL msg=audit(03/14/2023 10:39:45.227:24734) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_DGRAM a2=ip a3=0x5610f906b2a0 items=0 ppid=15082 pid=15097 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wg exe=/usr/bin/wg subj=system_u:system_r:wireguard_t:s0 key=(null) 
type=AVC msg=audit(03/14/2023 10:39:45.227:24734) : avc:  denied  { create } for  pid=15097 comm=wg scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=udp_socket permissive=0
Comment 48 errata-xmlrpc 2023-05-09 08:16:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2483