WireGuard on Rocky Linux
(aka It's Always SEPolicy)
11 April 2023 - Namkhai B.
If, like on my architecture, your WireGuard server wants to connect to the client (aka a hybrid host-to-host architecture), but the client still needs to initiate the connection to the server (due to NAT or other things), you'll need to add a PostUp
line to the client config:
PostUp = ping -c1 server-wireguard-ip
If we use plain ol' wg-quick
to start the interface, things work fine.
But the problems begin when we use the wg-quick@ systemd service, because now sepolicy kicks in...
systemctl status wg-quick@wg0
will fail to start:
Apr 12 20:25:12 rocky wg-quick[89902]: /usr/bin/wg-quick: line 295: /usr/bin/ping: Permission denie
and /var/log/audit/audit.log
will show this:
type=AVC msg=audit(1681332529.940:43): avc: denied { execute_no_trans } for pid=1383 comm="wg-quick" path="/usr/bin/ping" dev="dm-0" ino=4332526 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=0
After spending an entire afternoon debugging sepolicy, asking ChatGPT and getting an incorrect answer (no surprise there...), I got to...
The Solution
This is my custom sepolicy for WireGuard:
Enable this boolean:
$ sudo semanage boolean -m --on domain_can_mmap_files
Save this to my-wireguard.te
module wireguard-ping 1.0;
require {
type ping_exec_t;
type wireguard_t;
class file { execute_no_trans map unlink };
class process setcap;
class icmp_socket { create getopt setopt read write };
class rawip_socket create;
class udp_socket { create connect getattr };
}
#============= wireguard_t ==============
allow wireguard_t ping_exec_t:file { execute_no_trans map };
allow wireguard_t self:process setcap;
allow wireguard_t self:icmp_socket { create getopt setopt read write };
allow wireguard_t self:rawip_socket create;
allow wireguard_t self:udp_socket { create connect getattr };
Build it, load it and start wg-quick@wg0
$ checkmodule -M -m -o wireguard-ping.mod wireguard-ping.te
$ semodule_package -o wireguard-ping.pp -m wireguard-ping.mod
$ sudo semodule -i wireguard-ping.pp
$ sudo systemctl start wg-quick@wg0