After upgrading my Fedora 37 server to 39, Wireguard (wg-quick) no longer starts with failure on firewall-cmd calls: ``` wg-quick[5067]: [#] firewall-cmd --zone=FedoraServer --add-port XXXX/udp && firewall-cmd --zone=FedoraServer --add-masquerade && firewall-cmd --zone=FedoraServer --add-forward ... audit[5106]: AVC avc: denied { search } for pid=5106 comm="firewall-cmd" name="pki" dev="sda1" ino=393252 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 audit[5106]: AVC avc: denied { read } for pid=5106 comm="firewall-cmd" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 audit[5106]: AVC avc: denied { read } for pid=5106 comm="firewall-cmd" name="stat" dev="proc" ino=4026532026 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0 ... systemd[1]: wg-quick: Main process exited, code=exited, status=254/n/a ``` Later in the system logs there are: ``` setroubleshoot[5138]: SELinux is preventing firewall-cmd from search access on the directory /etc/pki. ... setroubleshoot[5138]: SELinux is preventing firewall-cmd from read access on the file possible. ... setroubleshoot[5138]: SELinux is preventing firewall-cmd from read access on the file stat. ``` with the selinux commands how to apply workarounds. I attached more complete log as an attachment. Calling firewall-cmd seems to be the common approach (to expose the server port and add package forwarding/masquerade). I wonder, if there any other recommended action in Fedora 38/39? If not, I would expect to have native supported to use Wireguard/wg-quick with firewall-cmd on Fedora with SELinux. Reproducible: Always Steps to Reproduce: 1. Configure wireguard to use firewall-cmd 2. Enable wireguard: sudo systemctl start wg-quick Actual Results: SELinux errors Expected Results: Wireguard works out-of-the box with default SELinux policies in Fedora 38/39. I've migrated from 37 to 39, but I believe the problem was introduced in 38 - https://bugzilla.redhat.com/show_bug.cgi?id=2177129 and https://unix.stackexchange.com/q/746688 .
Created attachment 2005334 [details] More complete system logs
wireguard-tools-1.0.20210914-5.fc39.x86_64 selinux-policy-39.3-1.fc39.noarch selinux-policy-targeted-39.3-1.fc39.noarch
Marcin, Can you elaborate on the configuration changes needed to trigger this issue? Our tests did not find any issues so far.
Thanks for your quick reply. It's pretty standard Wireguard configuration in /etc/wireguard/wg-XXX.conf: > [Interface] > Address = X.Y.Z.Ż > PrivateKey = ... > PostUp = firewall-cmd --zone=FedoraServer --add-port XXXX/udp && firewall-cmd --zone=FedoraServer --add-masquerade && firewall-cmd --zone=FedoraServer --add-forward > PostDown = firewall-cmd --zone=FedoraServer --remove-port XXXX/udp && firewall-cmd --zone=FedoraServer --remove-masquerade && firewall-cmd --zone=FedoraServer --remove-forward > # Non default port > ListenPort = XXXX > > [Peer] > PublicKey = ... > PresharedKey = ... > AllowedIPs = A.B.C.D/32 However, it might be important that machine had been upgrade (with dnf system-upgrade) from F35 to 37 and now from 37 to 39. Maybe there are any labels missing which were not covered by the migration?
The service was confined in F37, does not look like migration problems.
Is there anything I could check in my system to help you figure out what could be a problem? Btw, when I executed "PostUp" command manually with sudo and later on started Wireguard, it works as expected (so, aside from the problem with firewall-cmd, wg-quick itself doesn't have problem with SELinux policies).
If you can easily reproduce it, it would be of a big help to gather all denials with full auditing enabled: https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing perhaps in permissive mode: setenforce 0 before reproducing. Note with cli execution the daemon starts in a different SELinux domain and can effect in mislabeled runtime files.
You can also create a local SELinux module, but I am afraid a few iterations will be needed before the policy is complete: # cat local_wireguard.cil (allow wireguard_t cert_t (dir (search))) (allow wireguard_t proc_t (file (read))) (allow wireguard_t sysfs_t (file (read))) # semodule -i local_wireguard.cil
Sorry for delay Zdenek. However, I've finally made it work! When I loaded "local_wireguard.cil" and it changed the errors to: > SELinux is preventing firewall-cmd from open access on the file /etc/pki/tls/openssl.cnf. (...) > SELinux is preventing firewall-cmd from open access on the file /sys/devices/system/cpu/possible. (...) > SELinux is preventing firewall-cmd from open access on the file /proc/stat. (...) I "fixed" it with: > (allow wireguard_t cert_t (dir (search))) > (allow wireguard_t cert_t (file (read open getattr))) > (allow wireguard_t proc_t (file (read open))) > (allow wireguard_t sysfs_t (file (read open))) It allowed me to successfully call firewall-cmd, but the service still was failing with: > wg-quick[111]: [#] firewall-cmd --zone=FedoraServer --add-port XXXX/udp && firewall-cmd --zone=FedoraServer --add-masquerade && firewall-cmd --zone=FedoraServer --add-forward > systemd[1]: Starting NetworkManager-dispatcher.service - Network Manager Script Dispatcher Service... > systemd[1]: Started NetworkManager-dispatcher.service - Network Manager Script Dispatcher Service. > audit[1]: SERVICE_START pid=1 uid=0 auid=xxx ses=yyy subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' > NetworkManager[222]: <info> [xxx.yyy] device (wg-vps): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external') > NetworkManager[222]: <info> [xxx.yyy] device (wg-vps): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external') > NetworkManager[222]: <info> [xxx.yyy] device (wg-vps): Activation: successful, device activated. > systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive. > audit[333]: USER_AVC pid=333 uid=81 auid=zzz ses=zzz subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' > dbus-broker[333]: A security policy denied :1.8406 to send method call /org/fedoraproject/FirewallD1:org.freedesktop.DBus.Introspectable.Introspect to :1.10. > audit[333]: USER_AVC pid=333 uid=81 auid=zzz ses=zzz subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' > audit[333]: USER_AVC pid=333 uid=81 auid=zzz ses=zzz subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' > audit[333]: USER_AVC pid=333 uid=81 auid=zzz ses=zzz subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' > dbus-broker[333]: A security policy denied :1.8406 to send method call /org/fedoraproject/FirewallD1/config:org.freedesktop.DBus.Introspectable.Introspect to :1.10. > dbus-broker[333]: A security policy denied :1.8406 to send method call /org/fedoraproject/FirewallD1/config:org.freedesktop.DBus.Introspectable.Introspect to :1.10. > audit[333]: USER_AVC pid=333 uid=81 auid=zzz ses=zzz subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' > wg-quick[3578548]: ERROR:dbus.proxies:Introspect error on :1.10:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message > wg-quick[3578548]: Error: Sender is not authorized to send message > dbus-broker[333]: A security policy denied :1.8406 to send method call /org/fedoraproject/FirewallD1/config:org.freedesktop.DBus.Introspectable.Introspect to :1.10. > dbus-broker[333]: A security policy denied :1.8406 to send method call /org/fedoraproject/FirewallD1:org.fedoraproject.FirewallD1.authorizeAll to :1.10. > wg-quick[111]: [#] ip link delete dev wg-vps > NetworkManager[222]: <info> [1707692445.4722] device (wg-vps): state change: activated -> unmanaged (reason 'unmanaged', sys-iface-state: 'removed') > systemd[1]: wg-quick: Main process exited, code=exited, status=254/n/a > systemd[1]: wg-quick: Failed with result 'exit-code'. > systemd[1]: Failed to start wg-quick - WireGuard via wg-quick(8) for wg/vps. > audit[1]: SERVICE_START pid=1 uid=0 auid=zzz ses=zzz subj=system_u:system_r:init_t:s0 msg='unit=wg-quick@wg-vps comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=> With: > (allow wireguard_t firewalld_t (dbus (send_msg))) it stopped failing and Wireguard with firewall changes works fine. However, I still had in logs the following "denied" messages: > audit[111]: USER_AVC pid=111 uid=222 auid=333 ses=333 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' which I eliminated with: > (allow firewalld_t wireguard_t (dbus (send_msg))) The final policy module file is: > (allow wireguard_t cert_t (dir (search))) > (allow wireguard_t cert_t (file (read open getattr))) > (allow wireguard_t proc_t (file (read open))) > (allow wireguard_t sysfs_t (file (read open))) > (allow wireguard_t firewalld_t (dbus (send_msg))) > (allow firewalld_t wireguard_t (dbus (send_msg))) Thanks for pointing me out the direction! Writing following rules was straightforward after your suggestion. And 4 remain questions: 0. Is that custom policy load permanently? Or I need to do something more to keep it loaded after restart? 1. Are they the minimal permissions that need to be given to make Wireguard work with FirewallD? 2. Could it be upstreamed and available out of the box in Fedora? The changes in F37 seems to be too restrictive (for that case).
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/2042 You can check how the actual sources change look like. It is slightly more than just the requested permissions. After a new policy is built, please remove the local module with # semodule -r local_wireguard as the changes persist reboot. Thank you for your cooperation.
FEDORA-2024-fa74d1507f (selinux-policy-39.5-1.fc39) has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-fa74d1507f
FEDORA-2024-fa74d1507f has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-fa74d1507f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-fa74d1507f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
@zpytela I gave it a try, but it didn't work. > $ sudo semodule -r local_wireguard > $ sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-fa74d1507f > $ rpm -qa | grep selinux-policy > selinux-policy-39.5-1.fc39.noarch > selinux-policy-targeted-39.5-1.fc39.noarch > $ sudo systemctl restart wg-quick > Job for wg-quick failed because the control process exited with error code. > See "systemctl status wg-quick" and "journalctl -xeu wg-quick" for details. In the system log I see: > SELinux is preventing firewall-cmd from search access on the directory /etc/pki > SELinux is preventing firewall-cmd from read access on the file possible. > SELinux is preventing firewall-cmd from read access on the file stat. Should I do anything else to "apply the new policies" (preferably without the system restart)?
Please share audit log or ausearch command output. Are you sure these entries were logged after the update?
Created attachment 2019469 [details] audit logs I attached the logs of ausearch from the time before the execution (I don't have there the logs from the selinux packages update due to the issues with the deamon itself). > Are you sure these entries were logged after the update? Yes, I removed my local module and tried to restart VPN.
It seems the reported problems are not addressed in the latest f39 build, there needs to be a new one, sorry for that.
No problem, my local module still works :). In case you need anything else from by side, don't hesitate to ask.
The policy update should be a superset of the local modul, I am just sorry for the delay in delivering proper fix.
FEDORA-2024-fa74d1507f (selinux-policy-39.5-1.fc39) has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
As mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=2255572#c16 the original problem is not solved by the aforementioned update.
This message is a reminder that Fedora Linux 39 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 39 on 2024-11-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '39'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 39 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
I've just check on VPS upgraded from Fedora 39 to 41 with my custom module removed and firewall-cmd works as expected. It seems there were some changes in the policy package which "fixed" it. Thanks Zdenek!