Bug 2211305 - SELinux is preventing wg-quick from using the 'dac_override' capabilities. [NEEDINFO]
Summary: SELinux is preventing wg-quick from using the 'dac_override' capabilities.
Keywords:
Status: CLOSED COMPLETED
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 38
Hardware: x86_64
OS: Unspecified
low
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:d2c60a299de46de06030aa4b648...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-05-31 05:21 UTC by vavus44375
Modified: 2023-08-10 09:20 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-10 09:20:23 UTC
Type: ---
Embargoed:
zpytela: needinfo? (vavus44375)

Attachments (Terms of Use)
File: description (2.98 KB, text/plain)
2023-05-31 05:21 UTC, vavus44375 		no flags Details
File: os_info (699 bytes, text/plain)
2023-05-31 05:21 UTC, vavus44375 		no flags Details
View All

Description vavus44375 2023-05-31 05:21:47 UTC 
Description of problem:
systemctl enable wg-quick@<wg_conf>

Calling 'wg-quick up <wg_conf>' manually does not lead to an error, the problems are only in adding the service
SELinux is preventing wg-quick from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

Если вы хотите помочь определить, нужен ли домену этот доступ или у вас есть файл с неправильными разрешениями в вашей системе
Then включите полный аудит, чтобы определить путь к конфликтному файлу и повторно сгенерировать ошибку.
Do

Включите аудит:
# auditctl -w /etc/shadow -p w
Попытайтесь заново создать AVC, после чего выполните:
# ausearch -m avc -ts recent
Если запись PATH осуществляет проверку разрешений файла, исправьте это,  
в противном случае создайте запрос в Bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

Если вы считаете, что wg-quick должен иметь dac_override по умолчанию.
Then рекомендуется создать отчет об ошибке.
Чтобы разрешить доступ, можно создать локальный модуль политики.
Do
разрешить этот доступ сейчас, выполнив:
# ausearch -c 'wg-quick' --raw | audit2allow -M my-wgquick
# semodule -X 300 -i my-wgquick.pp

Additional Information:
Source Context                system_u:system_r:wireguard_t:s0
Target Context                system_u:system_r:wireguard_t:s0
Target Objects                Неизвестно [ capability ]
Source                        wg-quick
Source Path                   wg-quick
Port                          <Неизвестно>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.12-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.12-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              6.4.0-0.0.next.20230522.327.vanilla.fc38.x86_64 #1
                              SMP PREEMPT_DYNAMIC Mon May 22 05:35:14 UTC 2023
                              x86_64
Alert Count                   50
First Seen                    2023-05-12 10:15:41 MSK
Last Seen                     2023-05-30 23:04:03 MSK
Local ID                      78056a27-5af9-4ec0-8f8e-15b8c5d73cc5

Raw Audit Messages
type=AVC msg=audit(1685477043.602:145): avc:  denied  { dac_override } for  pid=1195 comm="wg-quick" capability=1  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capability permissive=0


Hash: wg-quick,wireguard_t,wireguard_t,capability,dac_override

Version-Release number of selected component:
selinux-policy-targeted-38.12-1.fc38.noarch

Additional info:
reporter:       libreport-2.17.10
reason:         SELinux is preventing wg-quick from using the 'dac_override' capabilities.
package:        selinux-policy-targeted-38.12-1.fc38.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.4.0-0.0.next.20230522.327.vanilla.fc38.x86_64
component:      selinux-policy
Comment 1 vavus44375 2023-05-31 05:21:49 UTC 
Created attachment 1967999 [details]
File: description
Comment 2 vavus44375 2023-05-31 05:21:51 UTC 
Created attachment 1968000 [details]
File: os_info
Comment 3 Zdenek Pytela 2023-05-31 06:41:44 UTC 
The dac_override capability is requested on an access attempt where DAC permission do not allow this access and usually indicate a problem with the permissions. Please follow the recommendations of the restorecon plugin to turn on full auditing and when reproduced again, check permissions for the file or directory, or look at the most likely destination:

ls -lRaZ /etc/wireguard/
Note You need to log in before you can comment on or make changes to this bug.