Overview

File 1243148-wireguard_dns.patch of Package selinux-policy

commit e6ff6124a542a8e0affe899864b8c46c5234e935
Author: Robert Frohl <rfrohl@suse.com>
Date:   Mon Jun 23 14:55:28 2025 +0200

    Allow wireguard to setup DNS (bsc#1243148)
    
    type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=1501 comm="wg-quick" path="/usr/bin/umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mo
    unt_exec_t:s0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { execute } for  pid=1501 comm="wg-quick" name="umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_
    t:s0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { read } for  pid=1501 comm="wg-quick" name="umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s
    0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { open } for  pid=1550 comm="wg-quick" path="/usr/bin/umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount
    _exec_t:s0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { execute_no_trans } for  pid=1550 comm="wg-quick" path="/usr/bin/umount" dev="vda2" ino=352325 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:ob
    ject_r:mount_exec_t:s0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { read write } for  pid=1550 comm="umount" name="mount" dev="tmpfs" ino=766 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_var_run
    _t:s0 tclass=dir permissive=1
    type=AVC msg=audit(..): avc:  denied  { unmount } for  pid=1550 comm="umount" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1
    type=AVC msg=audit(..): avc:  denied  { mounton } for  pid=1429 comm="unshare" path="/" dev="vda2" ino=256 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
     permissive=1
    type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=1429 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_e
    xec_t:s0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { execute } for  pid=1429 comm="bash" name="mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0
    tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { read } for  pid=1429 comm="bash" name="mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tcl
    ass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { open } for  pid=1440 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec
    _t:s0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { execute_no_trans } for  pid=1440 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_
    r:mount_exec_t:s0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { read write } for  pid=1441 comm="mount" name="mount" dev="tmpfs" ino=766 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_var_run_
    t:s0 tclass=dir permissive=1
    type=AVC msg=audit(..): avc:  denied  { mount } for  pid=1441 comm="mount" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesys
    tem permissive=1
    type=AVC msg=audit(..): avc:  denied  { mounton } for  pid=1441 comm="mount" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclas
    s=dir permissive=1
    type=AVC msg=audit(..): avc:  denied  { create } for  pid=1442 comm="bash" name="resolv.conf" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive
    =1
    type=AVC msg=audit(..): avc:  denied  { write open } for  pid=1442 comm="bash" path="/dev/shm/resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tm
    pfs_t:s0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=1442 comm="cat" path="/dev/shm/resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_
    t:s0 tclass=file permissive=1
    
    dontaudit and fs_tmpfs_filetrans():
    type=AVC msg=audit(..): avc:  denied  { write } for  pid=1443 comm="chcon" name="context" dev="selinuxfs" ino=5 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:security_t:s0 t
    type=AVC msg=audit(..): avc:  denied  { check_context } for  pid=1443 comm="chcon" scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
    type=AVC msg=audit(..): avc:  denied  { relabelfrom } for  pid=1443 comm="chcon" name="resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s
    0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { relabelto } for  pid=1443 comm="chcon" name="resolv.conf" dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:
    s0 tclass=file permissive=1
    
    type=AVC msg=audit(..): avc:  denied  { execute } for  pid=1444 comm="bash" name="mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0
    tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { read open } for  pid=1444 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount
    _exec_t:s0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { execute_no_trans } for  pid=1444 comm="bash" path="/usr/bin/mount" dev="vda2" ino=352304 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_
    r:mount_exec_t:s0 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { mounton } for  pid=1429 comm="mount" path="/etc/resolv.conf" dev="vda2" ino=372219 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_
    conf_t:s0 tclass=file permissive=1
    
    XXX: not resolved yet
    type=AVC msg=audit(..): avc:  denied  { sys_admin } for  pid=7635 comm="umount" capability=21  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capability
     permissive=0
    type=AVC msg=audit(..): avc:  denied  { sys_admin } for  pid=7699 comm="unshare" capability=21  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capabilit
    y permissive=0

diff --git a/policy/modules/contrib/wireguard.te b/policy/modules/contrib/wireguard.te
index ea79a908a..461ce33bc 100644
--- a/policy/modules/contrib/wireguard.te
+++ b/policy/modules/contrib/wireguard.te
@@ -41,6 +41,38 @@ domain_use_interactive_fds(wireguard_t)
 
 files_read_etc_files(wireguard_t)
 
+# XXX: new DNS stuff
+allow wireguard_t self:capability sys_admin;
+
+sysnet_mount_file(wireguard_t)
+#allow wireguard_t net_conf_t:file mounton;
+
+# use fs_tmpfs_filetrans() instead of chcon on resolve.conf
+
+# XXX: new interface below
+sysnet_dontaudit_file_relabelto(wireguard_t)
+#dontaudit wireguard_t net_conf_t:file { relabelto };
+
+#dontaudit wireguard_t tmpfs_t:file { relabelfrom };
+# XXX: open, no interface yet
+
+selinux_dontaudit_validate_context(wireguard_t)
+#dontaudit wireguard_t security_t:security check_context;
+#dontaudit wireguard_t security_t:file { read write };
+
+fs_tmpfs_filetrans(wireguard_t, net_conf_t, file, "resolve.conf")
+
+fs_all_mount_fs_perms_tmpfs(wireguard_t)
+fs_mounton_tmpfs(wireguard_t)
+fs_manage_ramfs_files(wireguard_t)
+
+optional_policy(`
+	mount_exec(wireguard_t)
+	mount_manage_pid_files(wireguard_t)
+')
+
+files_mounton_rootfs(wireguard_t)
+
 optional_policy(`
 	auth_read_passwd(wireguard_t)
 ')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 2fcd60892..8f2a9444a 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -5754,6 +5754,24 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
 	dontaudit $1 tmpfs_t:dir getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit relabelfrom attempts on files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_relabelfrom_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:file relabelfrom;
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of tmpfs directories.
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 966c37511..015aa8bfe 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -1317,3 +1317,39 @@ interface(`sysnet_filetrans_cloud_net_conf',`
 
 	files_pid_filetrans($1, net_conf_t, dir, "cloud-init")
 ')
+
+#######################################
+## <summary>
+##	Dontaudit relabelto network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_dontaudit_file_relabelto',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+    dontaudit $1 net_conf_t:file { relabelto };
+')
+
+#######################################
+## <summary>
+##	Mount network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_mount_file',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+    allow $1 net_conf_t:file mounton;
+')
openSUSE Build Service is sponsored by
Places