File 1243148-wireguard_dns.patch of Package selinux-policy

commit ced667eb80680b17028eec03a39750bc22cc6b56
Author: Robert Frohl <rfrohl@suse.com>
Date:   Mon Dec 15 15:13:01 2025 +0100

    Allow wireguard to setup DNS using dns_hatchet (bsc#1243148)
    
    There is one complicated solution in this change: A chcon execution is
    masked and the correct context for resolv.conf come via a filetrans:
    
      fs_dontaudit_relabelfrom_tmpfs_files() and sysnet_dontaudit_file_relabelto()
    to mask the chcon execution and worked around with:
    
      fs_tmpfs_filetrans()
    for correct context on resolv.conf.
    
    The remaining policy additions are fairly straight forward.
    
    allow wireguard_t self:capability sys_admin:
    type=AVC msg=audit(..): avc:  denied  { sys_admin } for  pid=7635 comm="umount" capability=21  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capability
    type=AVC msg=audit(..): avc:  denied  { sys_admin } for  pid=7699 comm="unshare" capability=21  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capability
    
    mount_exec():
    type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=1501 comm="wg-quick" path="/usr/bin/umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { execute } for  pid=1501 comm="wg-quick" name="umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { read } for  pid=1501 comm="wg-quick" name="umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { open } for  pid=1550 comm="wg-quick" path="/usr/bin/umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { execute_no_trans } for  pid=1550 comm="wg-quick" path="/usr/bin/umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=1429 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { execute } for  pid=1429 comm="bash" name="mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { read } for  pid=1429 comm="bash" name="mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { open } for  pid=1440 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { execute_no_trans } for  pid=1440 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { execute } for  pid=1444 comm="bash" name="mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { read open } for  pid=1444 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { execute_no_trans } for  pid=1444 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
    
    mount_manage_pid_files():
    type=AVC msg=audit(..): avc:  denied  { read write } for  pid=1550 comm="umount" name="mount" dev="tmpfs" ino=766 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir
    type=AVC msg=audit(..): avc:  denied  { read write } for  pid=1441 comm="mount" name="mount" dev="tmpfs" ino=766 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=dir
    
    fs_all_mount_fs_perms_tmpfs():
    type=AVC msg=audit(..): avc:  denied  { unmount } for  pid=1550 comm="umount" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
    type=AVC msg=audit(..): avc:  denied  { mount } for  pid=1441 comm="mount" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
    
    fs_mounton_tmpfs():
    type=AVC msg=audit(..): avc:  denied  { mounton } for  pid=1441 comm="mount" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
    
    files_mounton_rootfs():
    type=AVC msg=audit(..): avc:  denied  { mounton } for  pid=1429 comm="unshare" path="/" dev="vda2" ino=256 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
    
    fs_manage_tmpfs_files():
    type=AVC msg=audit(..): avc:  denied  { create } for  pid=1442 comm="bash" name="resolv.conf" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { write open } for  pid=1442 comm="bash" path="/dev/shm/resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=1442 comm="cat" path="/dev/shm/resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
    
    fs_dontaudit_relabelfrom_tmpfs_files():
    type=AVC msg=audit(..): avc:  denied  { relabelfrom } for  pid=1443 comm="chcon" name="resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
    
    sysnet_dontaudit_file_relabelto():
    type=AVC msg=audit(..): avc:  denied  { relabelto } for  pid=1443 comm="chcon" name="resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
    
    fs_tmpfs_filetrans():
    type=AVC msg=audit(..): avc:  denied  { write } for  pid=1443 comm="chcon" name="context" dev="selinuxfs" ino=5 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { check_context } for  pid=1443 comm="chcon" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
    
    sysnet_mount_file():
    type=AVC msg=audit(..): avc:  denied  { mounton } for  pid=1429 comm="mount" path="/etc/resolv.conf" dev="vda2" ino=372219 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
    
    storage_rw_fixed_disk_blk_dev():
    type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=5254 comm="mount" path="/dev/dm-0" dev="devtmpfs" ino=402 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
    
    sysnet_create_config():
    type=AVC msg=audit(..): avc:  denied  { create } for  pid=40463 comm="bash" name="resolv.conf" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
    
    sysnet_write_config():
    type=AVC msg=audit(..): avc:  denied  { write } for  pid=40584 comm="bash" path="/dev/shm/resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
    type=AVC msg=audit(..): avc:  denied  { write } for  pid=40584 comm="bash" name="resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
    
    fs_search_cgroup_dirs():
    type=AVC msg=audit(..): avc:  denied  { search } for  pid=1509 comm="sort" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0

diff --git a/policy/modules/contrib/wireguard.te b/policy/modules/contrib/wireguard.te
index ea79a908a..822afebcc 100644
--- a/policy/modules/contrib/wireguard.te
+++ b/policy/modules/contrib/wireguard.te
@@ -41,6 +41,32 @@ domain_use_interactive_fds(wireguard_t)
 
 files_read_etc_files(wireguard_t)
 
+# DNS hatchet part
+allow wireguard_t self:capability sys_admin;
+
+sysnet_create_config(wireguard_t)
+sysnet_mount_file(wireguard_t)
+sysnet_write_config(wireguard_t)
+
+# DNS hatchet: masking a chcon call in favor of fs_tmpfs_filetrans() for proper file context on resolv.conf
+sysnet_dontaudit_file_relabelto(wireguard_t)
+fs_dontaudit_relabelfrom_tmpfs_files(wireguard_t)
+selinux_dontaudit_validate_context(wireguard_t)
+fs_tmpfs_filetrans(wireguard_t, net_conf_t, file, "resolv.conf")
+
+files_mounton_rootfs(wireguard_t)
+
+fs_all_mount_fs_perms_tmpfs(wireguard_t)
+fs_mounton_tmpfs(wireguard_t)
+fs_manage_tmpfs_files(wireguard_t)
+fs_search_cgroup_dirs(wireguard_t)
+storage_rw_fixed_disk_blk_dev(wireguard_t)
+
+optional_policy(`
+	mount_exec(wireguard_t)
+	mount_manage_pid_files(wireguard_t)
+')
+
 optional_policy(`
 	auth_read_passwd(wireguard_t)
 ')