2188799 – systemd can't start wireguard interface automatically

Bug 2188799 - systemd can't start wireguard interface automatically

Summary: systemd can't start wireguard interface automatically

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	systemd
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	systemd-maint
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-22 11:35 UTC by Radek Valasek
Modified:	2023-05-31 22:41 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2023-05-15 13:35:50 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Radek Valasek 2023-04-22 11:35:29 UTC

System is unable start wireguard interface by systemd, error I am getting is following:

sysctl: cannot stat /proc/sys/net/ipv4/conf/all/src_valid_mark: Permission denied

Reproducible: Always

Steps to Reproduce:
# systemctl start wg-quick@wg0
Job for wg-quick failed because the control process exited with error code.
See "systemctl status wg-quick" and "journalctl -xeu wg-quick" for details.
Actual Results:  
# systemctl status wg-quick@wg0
× wg-quick - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: failed (Result: exit-code) since Sat 2023-04-22 13:21:58 CEST; 4s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 70008 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=1/FAILURE)
   Main PID: 70008 (code=exited, status=1/FAILURE)
        CPU: 103ms

Apr 22 13:21:58 anee-ph0 wg-quick[70008]: [#] ip -4 rule add table main suppress_prefixlength 0
Apr 22 13:21:58 anee-ph0 wg-quick[70008]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Apr 22 13:21:58 anee-ph0 wg-quick[70059]: sysctl: cannot stat /proc/sys/net/ipv4/conf/all/src_valid_mark: Permission denied
Apr 22 13:21:58 anee-ph0 wg-quick[70008]: [#] resolvconf -d wg0 -f
Apr 22 13:21:58 anee-ph0 wg-quick[70008]: [#] ip -4 rule delete table 51820
Apr 22 13:21:58 anee-ph0 wg-quick[70008]: [#] ip -4 rule delete table main suppress_prefixlength 0
Apr 22 13:21:58 anee-ph0 wg-quick[70008]: [#] ip link delete dev wg0
Apr 22 13:21:58 anee-ph0 systemd[1]: wg-quick: Main process exited, code=exited, status=1/FAILURE
Apr 22 13:21:58 anee-ph0 systemd[1]: wg-quick: Failed with result 'exit-code'.
Apr 22 13:21:58 anee-ph0 systemd[1]: Failed to start wg-quick - WireGuard via wg-quick(8) for wg0.

Expected Results:  
Wirguard interface is up by systemd itself.

When I try start wireguard interface directly with wg-quick command, it works without issue.

# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 192.168.111.15/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] ip -4 route add 192.168.113.0/24 dev wg0
[#] ip -4 route add 192.168.112.0/24 dev wg0
[#] ip -4 route add 192.168.111.0/24 dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63
[#] ip link set multicast on dev wg0

Comment 1 Andy Wang 2023-04-23 03:18:57 UTC

I'm seeing a simliar issue but instead of the error you see i see
Apr 22 22:11:11 meteor.internal.moonteeth.com wg-quick[1127]: internal:0:0-0: Error: Could not open file "/dev/fd/63": Permission denied


It's the selinux policy.  Setting SELinux permissive works and I get the following audit2why

$ sudo audit2why -b
type=AVC msg=audit(1682219471.753:157): avc:  denied  { open } for  pid=1127 comm="nft" path="pipe:[23596]" dev="pipefs" ino=23596 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=fifo_file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

Comment 2 Radek Valasek 2023-04-23 08:41:04 UTC

Should to add, my system I upgraded from F36 to F38 by graphical pakcage manager.

In new installed system I was missing SELinux tools to be aware something is blocked. This I resolved by manual installing of tools by 'dnf' command.

Then, in final I resolved this issue by complete new reinstallation of all packages on new system by 'dnf -y reinstall $(rpm -qa)' within monitoring SELinux, and allowing all blocked parts during reinstallation.

After reboot systemd brings the wireguard interface up without issue then.

Thank you for advice.

Issue is now resolved.

Comment 3 Andy Wang 2023-05-31 22:41:56 UTC

I think we do need at least a documentation bug on this?  I've not made any significnat selinux changes on the system taht i'm running wgquick and i'm still seeing this problem and I'm no entirely comfortable with the process of reinstall all selinux packages.  


The previous reporter's workaround
`'dnf -y reinstall $(rpm -qa)'`
Feels incredibly inapproprate to forcibly reinstall ALL rpm package to resolve this issue.

Soemthing else is missing here

Note You need to log in before you can comment on or make changes to this bug.