Wireguard 无法读取共享上的 wg0.conf

tag-icon tag-icon fedora selinux libvirt wireguard
Wireguard 无法读取共享上的 wg0.conf

我有一个使用 libvirt 运行的虚拟 Fedora 服务器,并使用virtiofs.

hostshare /etc/wireguard virtiofs rw,relatime 0 0

来宾中的目录被映射到/etc/wireguard,并且主机和来宾对共享文件夹的权限都是root:root (id:0)

当我在此目录中创建wg0.conf文件时,systemd 服务失败。

Dec 11 12:59:11 vpn-server systemd[1]: Starting [email protected] - WireGuard via wg-quick(8) for wg0...
Dec 11 12:59:11 vpn-server wg-quick[889]: wg-quick: `/etc/wireguard/wg0.conf' does not exist
Dec 11 12:59:11 vpn-server systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Dec 11 12:59:11 vpn-server systemd[1]: [email protected]: Failed with result 'exit-code'.
Dec 11 12:59:11 vpn-server systemd[1]: Failed to start [email protected] - WireGuard via wg-quick(8) for wg0.

但是,如果我运行wg-quick up wg0,则wireguard 启动。

# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip -6 address add fdf0:426a:74ae::1/64 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -t nat -I POSTROUTING -o enp1s0 -j MASQUERADE
[#] ip6tables -t nat -I POSTROUTING -o enp1s0 -j MASQUERADE

我已经通过将挂载添加到After服务中的参数来检查 systemd 服务正在等待挂载存在,但是,即使在系统启动后尝试手动启动它并且我确认共享可以访问,该服务仍然存在无法启动。

任何人都可以帮助我意识到出了什么问题吗?

看起来 systemd 服务没有看到挂载点

Dec 11 13:21:50 vpn-server mount[1326]: /dev/mapper/fedora-root on / type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
Dec 11 13:21:50 vpn-server mount[1326]: devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=4096k,nr_inodes=368069,mode=755,inode64)
Dec 11 13:21:50 vpn-server mount[1326]: tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel,inode64)
Dec 11 13:21:50 vpn-server mount[1326]: devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
Dec 11 13:21:50 vpn-server mount[1326]: sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server mount[1326]: securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate,memory_recursiveprot)
Dec 11 13:21:50 vpn-server mount[1326]: pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server mount[1326]: bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
Dec 11 13:21:50 vpn-server mount[1326]: configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,size=594992k,nr_inodes=819200,mode=755,inode64)
Dec 11 13:21:50 vpn-server mount[1326]: selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=34,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=3915)
Dec 11 13:21:50 vpn-server mount[1326]: hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,seclabel,pagesize=2M)
Dec 11 13:21:50 vpn-server mount[1326]: mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server mount[1326]: debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server mount[1326]: tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server mount[1326]: fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: hostshare on /etc/wireguard type virtiofs (rw,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel,nr_inodes=1048576,inode64)
Dec 11 13:21:50 vpn-server mount[1326]: /dev/vda2 on /boot type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
Dec 11 13:21:50 vpn-server mount[1326]: tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=297496k,nr_inodes=74374,mode=700,uid=1000,gid=1000,inode64)
Dec 11 13:21:50 vpn-server mount[1326]: binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: tracefs on /sys/kernel/debug/tracing type tracefs (rw,nosuid,nodev,noexec,relatime,seclabel)

Dec 11 13:21:50 vpn-server wg-quick[1327]: wg-quick: `/etc/wireguard/wg0.conf' does not exist
Dec 11 13:21:50 vpn-server systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE

更新

正如 @MarcusMüller 所指出的,看起来像是一个 selinux 问题

Dec 11 13:21:50 vpn-server audit[1327]: AVC avc:  denied  { search } for  pid=1327 comm="wg-quick" name="/" dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=0

好消息是,如果我将 selinux 置于宽容模式(setenforce 0),wg 服务就会启动。

答案1

该问题是由 SELINUX 权限问题引起的,如@马库斯·穆勒

我已经在另一个问题中描述了解决方案,但是,简而言之,您需要使用audit2allow来计算权限,然后使用semanage.

请参阅此问题以获得更完整的答案

SELINUX 策略不适用

相关内容