SELINUX 策略不适用

tag-icon tag-icon selinux
SELINUX 策略不适用

我有一个作为虚拟机运行的 Fedora Server v39(最小安装)(主机也是 Fedora Server v39)。

我已使用 VM 与 VM 共享主机目录virtiofs并将其映射到/etc/wireguardVM 中。

drwx------. 4 root root system_u:object_r:virtiofs_t:s0                   109 Dec 13 22:03 wireguard

我已经安装了wireguard从 读取它的配置/etc/wireguard,除了 SELINUX 被阻止

# ausearch -m AVC -i
----
type=AVC msg=audit(13/12/23 21:19:26.166:194) : avc:  denied  { search } for  pid=1151 comm=wg-quick name=/ dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=0 
----
type=AVC msg=audit(13/12/23 22:00:40.880:204) : avc:  denied  { search } for  pid=1250 comm=wg-quick name=/ dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=0 
----
type=AVC msg=audit(13/12/23 22:01:47.028:208) : avc:  denied  { search } for  pid=1265 comm=wg-quick name=/ dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(13/12/23 22:01:47.028:209) : avc:  denied  { getattr } for  pid=1265 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13/12/23 22:01:47.033:210) : avc:  denied  { getattr } for  pid=1269 comm=stat path=/etc/wireguard dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(13/12/23 22:01:47.034:211) : avc:  denied  { read } for  pid=1265 comm=wg-quick name=wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13/12/23 22:01:47.034:212) : avc:  denied  { open } for  pid=1265 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13/12/23 22:01:47.035:213) : avc:  denied  { ioctl } for  pid=1265 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 ioctlcmd=TCGETS scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13/12/23 22:30:26.574:372) : avc:  denied  { search } for  pid=1692 comm=wg-quick name=/ dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(13/12/23 22:30:26.574:373) : avc:  denied  { getattr } for  pid=1692 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13/12/23 22:30:26.584:376) : avc:  denied  { search } for  pid=1702 comm=stat name=/ dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(13/12/23 22:30:26.588:377) : avc:  denied  { getattr } for  pid=1704 comm=stat path=/etc/wireguard dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(13/12/23 22:30:26.588:378) : avc:  denied  { read } for  pid=1692 comm=wg-quick name=wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13/12/23 22:30:26.589:379) : avc:  denied  { open } for  pid=1692 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13/12/23 22:30:26.593:380) : avc:  denied  { ioctl } for  pid=1692 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 ioctlcmd=TCGETS scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1

所以我安装了policycoreutils-python-utilsSELINUX 工具并运行grep AVC /var/log/audit/audit.log | audit2allow -M wireguard以获取以下策略

# cat wireguard.te

module wireguard 1.0;

require {
    type wireguard_t;
    type virtiofs_t;
    class dir { getattr search };
    class file { getattr ioctl open read };
}

#============= wireguard_t ==============
allow wireguard_t virtiofs_t:dir { getattr search };
allow wireguard_t virtiofs_t:file { getattr ioctl open read };

但是,当我尝试安装它时,出现错误

# semodule -i wireguard.pp
libsemanage.semanage_direct_install_info: Overriding wireguard module at lower priority 100 with module at priority 400.
Failed to resolve typepermissive statement at /var/lib/selinux/targeted/tmp/modules/400/permissive_wireguard_t/cil:1
Failed to resolve AST
semodule:  Failed!

我现在不知所措,因为我找到的每个帮助页面都说要这样做......任何帮助表示赞赏。

答案1

好的..非常简单的解决方案。事实证明,您不能将策略命名为与类型相同的名称!

因此,上述过程中要更改的行很简单:

grep AVC /var/log/audit/audit.log | audit2allow -M wireguard-policy

然后应用它

semodule -i wireguard-policy.pp

相关内容