Allow wireguard to setup DNS (bsc#1243148)

rfrohl · rfrohl · commit ad83bfca3279 · 2025-08-19T14:09:40.000+02:00
type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=1501 comm="wg-quick" path="/usr/bin/umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mo
unt_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { execute } for  pid=1501 comm="wg-quick" name="umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_
t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { read } for  pid=1501 comm="wg-quick" name="umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s
0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { open } for  pid=1550 comm="wg-quick" path="/usr/bin/umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount
_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { execute_no_trans } for  pid=1550 comm="wg-quick" path="/usr/bin/umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:ob
ject_r:mount_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { read write } for  pid=1550 comm="umount" name="mount" dev="tmpfs" ino=766 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_var_run
_t:s0 tclass=dir permissive=1
type=AVC msg=audit(..): avc:  denied  { unmount } for  pid=1550 comm="umount" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(..): avc:  denied  { mounton } for  pid=1429 comm="unshare" path="/" dev="vda2" ino=256 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
 permissive=1
type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=1429 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_e
xec_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { execute } for  pid=1429 comm="bash" name="mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0
tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { read } for  pid=1429 comm="bash" name="mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tcl
ass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { open } for  pid=1440 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec
_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { execute_no_trans } for  pid=1440 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_
r:mount_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { read write } for  pid=1441 comm="mount" name="mount" dev="tmpfs" ino=766 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_var_run_
t:s0 tclass=dir permissive=1
type=AVC msg=audit(..): avc:  denied  { mount } for  pid=1441 comm="mount" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesys
tem permissive=1
type=AVC msg=audit(..): avc:  denied  { mounton } for  pid=1441 comm="mount" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclas
s=dir permissive=1
type=AVC msg=audit(..): avc:  denied  { create } for  pid=1442 comm="bash" name="resolv.conf" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive
=1
type=AVC msg=audit(..): avc:  denied  { write open } for  pid=1442 comm="bash" path="/dev/shm/resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tm
pfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=1442 comm="cat" path="/dev/shm/resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_
t:s0 tclass=file permissive=1

dontaudit and fs_tmpfs_filetrans():
type=AVC msg=audit(..): avc:  denied  { write } for  pid=1443 comm="chcon" name="context" dev="selinuxfs" ino=5 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:security_t:s0 t
type=AVC msg=audit(..): avc:  denied  { check_context } for  pid=1443 comm="chcon" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
type=AVC msg=audit(..): avc:  denied  { relabelfrom } for  pid=1443 comm="chcon" name="resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s
0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { relabelto } for  pid=1443 comm="chcon" name="resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:
s0 tclass=file permissive=1

type=AVC msg=audit(..): avc:  denied  { execute } for  pid=1444 comm="bash" name="mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0
tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { read open } for  pid=1444 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount
_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { execute_no_trans } for  pid=1444 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_
r:mount_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { mounton } for  pid=1429 comm="mount" path="/etc/resolv.conf" dev="vda2" ino=372219 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_
conf_t:s0 tclass=file permissive=1

storage_rw_fixed_disk_blk_dev():
type=AVC msg=audit(1754315767.202:373): avc:  denied  { getattr } for  pid=5254 comm="mount" path="/dev/dm-0" dev="devtmpfs" ino=402 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0

sysnet_create_config(wireguard_t):
type=AVC msg=audit(1754392427.618:2593): avc:  denied  { create } for  pid=40463 comm="bash" name="resolv.conf" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0

sysnet_write_config(wireguard_t):
type=AVC msg=audit(1754392611.632:2598): avc:  denied  { write } for  pid=40584 comm="bash" path="/dev/shm/resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
type=AVC msg=audit(1754392611.632:2599): avc:  denied  { write } for  pid=40584 comm="bash" name="resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0

XXX: not resolved yet
type=AVC msg=audit(..): avc:  denied  { sys_admin } for  pid=7635 comm="umount" capability=21  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capability
 permissive=0
type=AVC msg=audit(..): avc:  denied  { sys_admin } for  pid=7699 comm="unshare" capability=21  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capabilit
y permissive=0
diff --git a/policy/modules/contrib/wireguard.te b/policy/modules/contrib/wireguard.te
@@ -41,6 +41,42 @@ domain_use_interactive_fds(wireguard_t)
 
 files_read_etc_files(wireguard_t)
 
+# XXX: new DNS stuff
+allow wireguard_t self:capability sys_admin;
+
+sysnet_mount_file(wireguard_t)
+#allow wireguard_t net_conf_t:file mounton;
+
+# use fs_tmpfs_filetrans() instead of chcon on resolv.conf
+
+# XXX: new interface below
+sysnet_dontaudit_file_relabelto(wireguard_t)
+#dontaudit wireguard_t net_conf_t:file { relabelto };
+
+#dontaudit wireguard_t tmpfs_t:file { relabelfrom };
+# XXX: open, no interface yet
+
+selinux_dontaudit_validate_context(wireguard_t)
+#dontaudit wireguard_t security_t:security check_context;
+#dontaudit wireguard_t security_t:file { read write };
+
+sysnet_create_config(wireguard_t)
+sysnet_write_config(wireguard_t)
+
+fs_tmpfs_filetrans(wireguard_t, net_conf_t, file, "resolv.conf")
+
+fs_all_mount_fs_perms_tmpfs(wireguard_t)
+fs_mounton_tmpfs(wireguard_t)
+fs_manage_ramfs_files(wireguard_t)
+storage_rw_fixed_disk_blk_dev(wireguard_t)
+
+optional_policy(`
+	mount_exec(wireguard_t)
+	mount_manage_pid_files(wireguard_t)
+')
+
+files_mounton_rootfs(wireguard_t)
+
 optional_policy(`
 	auth_read_passwd(wireguard_t)
 ')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
@@ -5772,6 +5772,24 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
 	dontaudit $1 tmpfs_t:dir getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit relabelfrom attempts on files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_relabelfrom_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:file relabelfrom;
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of tmpfs directories.
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
@@ -1316,3 +1316,39 @@ interface(`sysnet_filetrans_cloud_net_conf',`
 
 	files_pid_filetrans($1, net_conf_t, dir, "cloud-init")
 ')
+
+#######################################
+## <summary>
+##	Dontaudit relabelto network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_dontaudit_file_relabelto',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+    dontaudit $1 net_conf_t:file { relabelto };
+')
+
+#######################################
+## <summary>
+##	Mount network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_mount_file',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+    allow $1 net_conf_t:file mounton;
+')
