WireGuard on Rocky Linux

(aka It's Always SEPolicy)

11 April 2023 - Namkhai B.

If, like on my architecture, your WireGuard server wants to connect to the client (aka a hybrid host-to-host architecture), but the client still needs to initiate the connection to the server (due to NAT or other things), you'll need to add a PostUp line to the client config:

PostUp = ping -c1 server-wireguard-ip

If we use plain ol' wg-quick to start the interface, things work fine.

But the problems begin when we use the wg-quick@ systemd service, because now sepolicy kicks in...

systemctl status wg-quick@wg0 will fail to start:

Apr 12 20:25:12 rocky wg-quick[89902]: /usr/bin/wg-quick: line 295: /usr/bin/ping: Permission denie

and /var/log/audit/audit.log will show this:

type=AVC msg=audit(1681332529.940:43): avc:  denied  { execute_no_trans } for  pid=1383 comm="wg-quick" path="/usr/bin/ping" dev="dm-0" ino=4332526 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=0

After spending an entire afternoon debugging sepolicy, asking ChatGPT and getting an incorrect answer (no surprise there...), I got to...

The Solution

This is my custom sepolicy for WireGuard:

Enable this boolean:

$ sudo semanage boolean -m --on domain_can_mmap_files

Save this to my-wireguard.te

module wireguard-ping 1.0;

require {
        type ping_exec_t;
        type wireguard_t;
        class file { execute_no_trans map unlink };
        class process setcap;
        class icmp_socket { create getopt setopt read write };
        class rawip_socket create;
        class udp_socket { create connect getattr };

#============= wireguard_t ==============

allow wireguard_t ping_exec_t:file { execute_no_trans map };
allow wireguard_t self:process setcap;
allow wireguard_t self:icmp_socket { create getopt setopt read write };
allow wireguard_t self:rawip_socket create;
allow wireguard_t self:udp_socket { create connect getattr };

Build it, load it and start wg-quick@wg0

$ checkmodule -M -m -o wireguard-ping.mod wireguard-ping.te
$ semodule_package -o wireguard-ping.pp -m wireguard-ping.mod
$ sudo semodule -i wireguard-ping.pp
$ sudo systemctl start wg-quick@wg0