Error enabling wireguard

[s.d.]

Hi now i have another problem

i tried do install wireguard on my machine as described here:
https://www.server-world.info/en/note?o ... eguard&f=1

but enabling wg gives an Error:

Code: Select all

[root@bastion system]# systemctl status wg-quick@wg0.service
× wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; enabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Fri 2022-10-14 13:54:50 CEST; 15s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 1407 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=36)
   Main PID: 1407 (code=exited, status=36)
        CPU: 166ms

Okt 14 13:54:50 bastion wg-quick[1407]: [#] wg setconf wg0 /dev/fd/63
Okt 14 13:54:50 bastion wg-quick[1407]: [#] ip -4 address add 198.168.100.1/24 dev wg0
Okt 14 13:54:50 bastion wg-quick[1407]: [#] ip link set mtu 1420 up dev wg0
Okt 14 13:54:50 bastion wg-quick[1407]: [#] ip -4 route add 192.168.100.11/32 dev wg0
Okt 14 13:54:50 bastion wg-quick[1407]: [#] firewall-cmd --add-port=51821/udp
Okt 14 13:54:50 bastion wg-quick[1444]: Error: DBUS_ERROR: Failed to connect to socket /run/dbus/system_bus_socket: Permission denied
Okt 14 13:54:50 bastion wg-quick[1407]: [#] ip link delete dev wg0
Okt 14 13:54:50 bastion systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=36/n/a
Okt 14 13:54:50 bastion systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
Okt 14 13:54:50 bastion systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.

Can anybody help me please - i don't know how to handle DBUS_ERROR

it seems to depend on my PostUp/PostDown - lines:

Code: Select all

PostUp = firewall-cmd --zone=external --add-port=51821/udp
PostDown = firewall-cmd --zone=external --remove-port=51821/udp

[TrevorH]

Are you using firewalld?

[s.d.]

yes using firewalld

if i start wg by

wg-quick up wg0

it works, but with
systemctl enable -now wg-quick@wg0
i get the error

[TrevorH]

Run aureport -a and see if there any entries dated around the time you last tried. If there are, take the number from the right hand end of the line and feed that into ausearch -a nnnn where nnnn is the number you first thought of.

[s.d.]

here is the result:

aureport -1

Code: Select all

57. 14.10.2022 14:42:42 wg system_u:system_r:wireguard_t:s0 41 udp_socket create system_u:system_r:wireguard_t:s0 denied 243
58. 14.10.2022 14:42:42 wg system_u:system_r:wireguard_t:s0 41 udp_socket create system_u:system_r:wireguard_t:s0 denied 244
59. 14.10.2022 14:42:42 firewall-cmd system_u:system_r:wireguard_t:s0 257 dir search system_u:object_r:cert_t:s0 denied 247
60. 14.10.2022 14:42:42 firewall-cmd system_u:system_r:wireguard_t:s0 42 dir search system_u:object_r:system_dbusd_var_run_t:s0 denied 248

ausearch -a 243

Code: Select all

----
time->Fri Oct 14 11:00:19 2022
type=SOFTWARE_UPDATE msg=audit(1665738019.224:243): pid=10809 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=install sw="jose-11-3.el9.x86_64" sw_type=rpm key_enforce=0 gpg_res=1 root_dir="/" comm="dnf" exe="/usr/bin/python3.9" hostname=bastion addr=? terminal=pts/0 res=success'
----
time->Fri Oct 14 13:02:03 2022
type=BPF msg=audit(1665745323.079:243): prog-id=0 op=UNLOAD
----
time->Fri Oct 14 14:01:58 2022
type=BPF msg=audit(1665748918.691:243): prog-id=86 op=LOAD
----
time->Fri Oct 14 14:42:42 2022
type=PROCTITLE msg=audit(1665751362.258:243): proctitle=776700736574636F6E6600776730002F6465762F66642F3633
type=SYSCALL msg=audit(1665751362.258:243): arch=c000003e syscall=41 success=no exit=-13 a0=a a1=80002 a2=0 a3=7ffc71ba0090 items=0 ppid=1645 pid=1657 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="wg" exe="/usr/bin/wg" subj=system_u:system_r:wireguard_t:s0 key=(null)
type=AVC msg=audit(1665751362.258:243): avc:  denied  { create } for  pid=1657 comm="wg" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=udp_socket permissive=0

ausearch -a 244

Code: Select all

----
time->Fri Oct 14 11:00:19 2022
type=SOFTWARE_UPDATE msg=audit(1665738019.224:244): pid=10809 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=install sw="tracer-common-0.7.5-4.el9.noarch" sw_type=rpm key_enforce=0 gpg_res=1 root_dir="/" comm="dnf" exe="/usr/bin/python3.9" hostname=bastion addr=? terminal=pts/0 res=success'
----
time->Fri Oct 14 13:02:03 2022
type=BPF msg=audit(1665745323.079:244): prog-id=0 op=UNLOAD
----
time->Fri Oct 14 14:01:58 2022
type=SERVICE_START msg=audit(1665748918.729:244): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timedated comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
----
time->Fri Oct 14 14:42:42 2022
type=PROCTITLE msg=audit(1665751362.258:244): proctitle=776700736574636F6E6600776730002F6465762F66642F3633
type=SYSCALL msg=audit(1665751362.258:244): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=80002 a2=0 a3=7ffc71ba0090 items=0 ppid=1645 pid=1657 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="wg" exe="/usr/bin/wg" subj=system_u:system_r:wireguard_t:s0 key=(null)
type=AVC msg=audit(1665751362.258:244): avc:  denied  { create } for  pid=1657 comm="wg" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=udp_socket permissive=0

ausearch -a 247

Code: Select all

----
time->Fri Oct 14 11:00:19 2022
type=SOFTWARE_UPDATE msg=audit(1665738019.224:247): pid=10809 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=install sw="python3-lxml-4.6.5-3.el9.x86_64" sw_type=rpm key_enforce=0 gpg_res=1 root_dir="/" comm="dnf" exe="/usr/bin/python3.9" hostname=bastion addr=? terminal=pts/0 res=success'
----
time->Fri Oct 14 13:02:03 2022
type=BPF msg=audit(1665745323.081:247): prog-id=78 op=LOAD
----
time->Fri Oct 14 14:02:28 2022
type=BPF msg=audit(1665748948.753:247): prog-id=0 op=UNLOAD
----
time->Fri Oct 14 14:42:42 2022
type=PROCTITLE msg=audit(1665751362.399:247): proctitle=2F7573722F62696E2F707974686F6E33002D73002F7573722F62696E2F6669726577616C6C2D636D64002D2D7A6F6E653D65787465726E616C002D2D6164642D706F72743D35313832312F756470
type=SYSCALL msg=audit(1665751362.399:247): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=556d708f45a0 a2=0 a3=0 items=0 ppid=1677 pid=1678 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="firewall-cmd" exe="/usr/bin/python3.9" subj=system_u:system_r:wireguard_t:s0 key=(null)
type=AVC msg=audit(1665751362.399:247): avc:  denied  { search } for  pid=1678 comm="firewall-cmd" name="pki" dev="dm-0" ino=17016114 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0

ausearch -a 248

Code: Select all

----
time->Fri Oct 14 11:00:19 2022
type=SOFTWARE_UPDATE msg=audit(1665738019.225:248): pid=10809 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=install sw="python3-tracer-0.7.5-4.el9.noarch" sw_type=rpm key_enforce=0 gpg_res=1 root_dir="/" comm="dnf" exe="/usr/bin/python3.9" hostname=bastion addr=? terminal=pts/0 res=success'
----
time->Fri Oct 14 13:02:03 2022
type=BPF msg=audit(1665745323.081:248): prog-id=0 op=UNLOAD
----
time->Fri Oct 14 14:02:28 2022
type=BPF msg=audit(1665748948.753:248): prog-id=0 op=UNLOAD
----
time->Fri Oct 14 14:42:42 2022
type=PROCTITLE msg=audit(1665751362.428:248): proctitle=2F7573722F62696E2F707974686F6E33002D73002F7573722F62696E2F6669726577616C6C2D636D64002D2D7A6F6E653D65787465726E616C002D2D6164642D706F72743D35313832312F756470
type=SYSCALL msg=audit(1665751362.428:248): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffd49ddf430 a2=1d a3=21 items=0 ppid=1677 pid=1678 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="firewall-cmd" exe="/usr/bin/python3.9" subj=system_u:system_r:wireguard_t:s0 key=(null)
type=AVC msg=audit(1665751362.428:248): avc:  denied  { search } for  pid=1678 comm="firewall-cmd" name="dbus" dev="tmpfs" ino=46 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0

[TrevorH]

I'd suggest reading https://wiki.centos.org/HowTos/SELinux - specifically the bit titled "7. Creating Custom SELinux Policy Modules with audit2allow". To do that properly, run service auditd rotate first then move or delete the old logs in /var/log/audit (audit.log is the current one, don't try to delete that), then run setenforce 0 to go permissive and then recreate the problem. Now your audit log should have all the denials listed that would be needed to create a policy to allow the accesses.

I also think that reporting the problem to the wireguard author and telling him the steps required to fix the problem might help. He may then be able to ship something like a wireguard-selinux package to ship a policy file to allow it to work out of the box.