Skip to content

Allow wireguard to setup DNS using dns-hatchet (bsc#1243148) #2840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: rawhide
Choose a base branch
from
Draft

Allow wireguard to setup DNS using dns-hatchet (bsc#1243148) #2840

wants to merge 1 commit into from

Conversation

rfrohl
Copy link
Contributor

@rfrohl rfrohl commented Aug 19, 2025
edited
Loading

This is a bit of a contentious change for me and I currently do not find to much time to continue to work on it, but I would like some feedback on one piece:

There is this code piece in wg-quick[0], which I try to work around here:

	printf 'nameserver %s\n' "${DNS[@]}"
		[[ ${#DNS_SEARCH[@]} -eq 0 ]] || printf 'search %s\n' "${DNS_SEARCH[*]}"
		} | unshare -m --propagation shared bash -c "$(cat <<-_EOF
			set -e
			context="\$(stat -c %C /etc/resolv.conf 2>/dev/null)" || unset context
			mount --make-private /dev/shm
			mount -t tmpfs none /dev/shm
			cat > /dev/shm/resolv.conf
			[[ -z \$context || \$context == "?" ]] || chcon "\$context" /dev/shm/resolv.conf 2>/dev/null || true
			mount -o remount,ro /dev/shm
			mount -o bind,ro /dev/shm/resolv.conf /etc/resolv.conf
		_EOF

Currently my only good idea is to dontaudit the chcon change and setup a file transition for /tmp:

fs_tmpfs_filetrans(wireguard_t, net_conf_t, file, "resolv.conf")

Which then should mean that resolv.conf has the correct label after the mount of /dev/shm/resolv.conf to /etc/resolv.conf.

Not sure if there might be a better option or if that solution might be acceptable in the first place ?

[0] https://git.zx2c4.com/wireguard-tools/tree/contrib/dns-hatchet/hatchet.bash#n27

@rfrohl
Allow wireguard to setup DNS (bsc#1243148)
39a6c68 
type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=1501 comm="wg-quick" path="/usr/bin/umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mo
unt_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { execute } for  pid=1501 comm="wg-quick" name="umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_
t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { read } for  pid=1501 comm="wg-quick" name="umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s
0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { open } for  pid=1550 comm="wg-quick" path="/usr/bin/umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount
_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { execute_no_trans } for  pid=1550 comm="wg-quick" path="/usr/bin/umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:ob
ject_r:mount_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { read write } for  pid=1550 comm="umount" name="mount" dev="tmpfs" ino=766 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_var_run
_t:s0 tclass=dir permissive=1
type=AVC msg=audit(..): avc:  denied  { unmount } for  pid=1550 comm="umount" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(..): avc:  denied  { mounton } for  pid=1429 comm="unshare" path="/" dev="vda2" ino=256 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
 permissive=1
type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=1429 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_e
xec_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { execute } for  pid=1429 comm="bash" name="mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0
tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { read } for  pid=1429 comm="bash" name="mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tcl
ass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { open } for  pid=1440 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec
_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { execute_no_trans } for  pid=1440 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_
r:mount_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { read write } for  pid=1441 comm="mount" name="mount" dev="tmpfs" ino=766 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_var_run_
t:s0 tclass=dir permissive=1
type=AVC msg=audit(..): avc:  denied  { mount } for  pid=1441 comm="mount" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesys
tem permissive=1
type=AVC msg=audit(..): avc:  denied  { mounton } for  pid=1441 comm="mount" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclas
s=dir permissive=1
type=AVC msg=audit(..): avc:  denied  { create } for  pid=1442 comm="bash" name="resolv.conf" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive
=1
type=AVC msg=audit(..): avc:  denied  { write open } for  pid=1442 comm="bash" path="/dev/shm/resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tm
pfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=1442 comm="cat" path="/dev/shm/resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_
t:s0 tclass=file permissive=1

dontaudit and fs_tmpfs_filetrans():
type=AVC msg=audit(..): avc:  denied  { write } for  pid=1443 comm="chcon" name="context" dev="selinuxfs" ino=5 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:security_t:s0 t
type=AVC msg=audit(..): avc:  denied  { check_context } for  pid=1443 comm="chcon" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
type=AVC msg=audit(..): avc:  denied  { relabelfrom } for  pid=1443 comm="chcon" name="resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s
0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { relabelto } for  pid=1443 comm="chcon" name="resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:
s0 tclass=file permissive=1

type=AVC msg=audit(..): avc:  denied  { execute } for  pid=1444 comm="bash" name="mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0
tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { read open } for  pid=1444 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount
_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { execute_no_trans } for  pid=1444 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_
r:mount_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc:  denied  { mounton } for  pid=1429 comm="mount" path="/etc/resolv.conf" dev="vda2" ino=372219 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_
conf_t:s0 tclass=file permissive=1

storage_rw_fixed_disk_blk_dev():
type=AVC msg=audit(1754315767.202:373): avc:  denied  { getattr } for  pid=5254 comm="mount" path="/dev/dm-0" dev="devtmpfs" ino=402 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0

sysnet_create_config(wireguard_t):
type=AVC msg=audit(1754392427.618:2593): avc:  denied  { create } for  pid=40463 comm="bash" name="resolv.conf" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0

sysnet_write_config(wireguard_t):
type=AVC msg=audit(1754392611.632:2598): avc:  denied  { write } for  pid=40584 comm="bash" path="/dev/shm/resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
type=AVC msg=audit(1754392611.632:2599): avc:  denied  { write } for  pid=40584 comm="bash" name="resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0

XXX: not resolved yet
type=AVC msg=audit(..): avc:  denied  { sys_admin } for  pid=7635 comm="umount" capability=21  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capability
 permissive=0
type=AVC msg=audit(..): avc:  denied  { sys_admin } for  pid=7699 comm="unshare" capability=21  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capabilit
y permissive=0
@rfrohl
Copy link
Contributor Author

rfrohl commented Aug 19, 2025

condensed the draft a bit further, to make it easier to digest

@zpytela
Copy link
Contributor

zpytela commented Aug 26, 2025

No issue with the selinux bits, I rather failed to understand well the wg-quick steps.

@rfrohl
Copy link
Contributor Author

rfrohl commented Aug 26, 2025
edited
Loading

No issue with the selinux bits, I rather failed to understand well the wg-quick steps.

They look at the label of resolv.conf and try to re-create the label for the /dev/shm copy, then remount the file over /etc/resolv.conf with the correct label. Allowing the system to access the file as expected.

What I did not understand is where this would have ever worked. relabelto and relabelfrom are not something that I found allowed very often.

The main point I was unsure about is that I 'hide' some of the AVCs and therefor deny steps in the script is using. I was unsure if that is an acceptable route to take for something like this.

But it sounds to me like you do not mind that approach, so I will continue with this solution once I have time again.

@zpytela
Copy link
Contributor

zpytela commented Aug 27, 2025

We can talk to wg folks to sync the changes. Now I think I understand, it would possibly be more readable if "cp -a" was used instead of working with $context, but the permission would be needed anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rfrohl @zpytela