Bug 2252895 - wg-quick@wg0: /etc/wireguard/wg0.conf does not exist (but it does)
Summary: wg-quick@wg0: /etc/wireguard/wg0.conf does not exist (but it does)
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 39
Hardware: aarch64
OS: Linux
low
high
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL: https://discussion.fedoraproject.org/...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-12-05 06:29 UTC by Benny Powers
Modified: 2023-12-05 14:01 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-12-05 11:55:23 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Benny Powers 2023-12-05 06:29:49 UTC
I followed the instructions at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_and_managing_networking/assembly_setting-up-a-wireguard-vpn_configuring-and-managing-networking#proc_configuring-a-wireguard-server-by-using-the-wg-quick-service_assembly_setting-up-a-wireguard-vpn (as well as those at https://fedoramagazine.org/build-a-virtual-private-network-with-wireguard/) and when I tried bringing the service up, I got

```
Dec 03 12:11:28 pi wg-quick[124827]: wg-quick: `/etc/wireguard/wg0.conf' does not exist
Dec 03 12:11:28 pi systemd[1]: wg-quick: Main process exited, code=exited, status=1/FAILURE
Dec 03 12:11:28 pi systemd[1]: wg-quick: Failed with result 'exit-code'.
Dec 03 12:11:28 pi systemd[1]: Failed to start wg-quick - WireGuard via wg-quick(8) for wg0.
# ll /etc/wireguard/wg0.conf
-rw-r--r--. 1 root root 233 Dec  3 12:05 /etc/wireguard/wg0.conf
# ll $(which wg-quick)
-rwxr-xr-x. 3 root root 13464 Jan  1  1970 /usr/bin/wg-quick
# ls -lZ /etc/wireguard/wg0.conf
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 499 Dec  3 15:25 /etc/wireguard/wg0.conf
```
```
# ausearch -m avc

...

time->Wed Nov 29 02:00:25 2023
type=AVC msg=audit(1701216025.796:132): avc:  denied  { dac_override } for  pid=1179 comm="wg-quick" capability=1  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capability permissive=0

...

```

Reproducible: Always

Steps to Reproduce:
1.rpm-ostree install wireguard-tools
2. touch /etc/wireguard/wg0.conf with contents:

```
[Interface]
Address = 192.0.2.1/24, 2001:db8:1::1/32
ListenPort = 51820
PrivateKey = <PRIV_KEY>

[Peer]
PublicKey = <PUB_KEY>
AllowedIPs = 192.0.2.2, 2001:db8:1::2
```
3. systemctl enable --now wg-quick@wg0
Actual Results:  
wg-quick: `/etc/wireguard/wg0.conf' does not exist

Expected Results:  
service starts

Comment 1 Zdenek Pytela 2023-12-05 10:25:06 UTC
This looks like a problem with dac permission - please check:

# ls -ld / /etc /etc/wireguard/

Comment 2 Benny Powers 2023-12-05 11:26:20 UTC
Note that since originally observing this behaviour, I performed the workaround suggested by Micah Abbot:

# ausearch -m avc > audit.log
# audit2allow -i audit.log -m local > local.te
# checkmodule -M -m -o local.mod local.te
# semodule_package -o local.pp -m local.mod
# semodule -i local.pp

having done that, here then is the result of 

# ls -ld / /etc /etc/wireguard/
drwxr-xr-x. 1 root root  158 Dec  5 08:33 /
drwxr-xr-x. 1 root root 4112 Nov 29 02:00 /etc
d-w-------. 1 root root   84 Dec  5 09:18 /etc/wireguard/

Comment 3 Zdenek Pytela 2023-12-05 11:55:23 UTC
(In reply to Benny Powers from comment #2)
> Note that since originally observing this behaviour, I performed the
> workaround suggested by Micah Abbot:
> 
> # ausearch -m avc > audit.log
> # audit2allow -i audit.log -m local > local.te
> # checkmodule -M -m -o local.mod local.te
> # semodule_package -o local.pp -m local.mod
> # semodule -i local.pp
This is not the proper solution to the problem.

> 
> having done that, here then is the result of 
> 
> # ls -ld / /etc /etc/wireguard/
> drwxr-xr-x. 1 root root  158 Dec  5 08:33 /
> drwxr-xr-x. 1 root root 4112 Nov 29 02:00 /etc
> d-w-------. 1 root root   84 Dec  5 09:18 /etc/wireguard/

This is the problem which can be fixed e. g. with

rpm --restore wireguard-tools


Note You need to log in before you can comment on or make changes to this bug.