我有一个作为虚拟机运行的 Fedora Server v39(最小安装)(主机也是 Fedora Server v39)。
我已使用 VM 与 VM 共享主机目录virtiofs并将其映射到/etc/wireguardVM 中。
drwx------. 4 root root system_u:object_r:virtiofs_t:s0 109 Dec 13 22:03 wireguard
我已经安装了wireguard从 读取它的配置/etc/wireguard,除了 SELINUX 被阻止
# ausearch -m AVC -i
----
type=AVC msg=audit(13/12/23 21:19:26.166:194) : avc: denied { search } for pid=1151 comm=wg-quick name=/ dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=0
----
type=AVC msg=audit(13/12/23 22:00:40.880:204) : avc: denied { search } for pid=1250 comm=wg-quick name=/ dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=0
----
type=AVC msg=audit(13/12/23 22:01:47.028:208) : avc: denied { search } for pid=1265 comm=wg-quick name=/ dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(13/12/23 22:01:47.028:209) : avc: denied { getattr } for pid=1265 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/12/23 22:01:47.033:210) : avc: denied { getattr } for pid=1269 comm=stat path=/etc/wireguard dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(13/12/23 22:01:47.034:211) : avc: denied { read } for pid=1265 comm=wg-quick name=wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/12/23 22:01:47.034:212) : avc: denied { open } for pid=1265 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/12/23 22:01:47.035:213) : avc: denied { ioctl } for pid=1265 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 ioctlcmd=TCGETS scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/12/23 22:30:26.574:372) : avc: denied { search } for pid=1692 comm=wg-quick name=/ dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(13/12/23 22:30:26.574:373) : avc: denied { getattr } for pid=1692 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/12/23 22:30:26.584:376) : avc: denied { search } for pid=1702 comm=stat name=/ dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(13/12/23 22:30:26.588:377) : avc: denied { getattr } for pid=1704 comm=stat path=/etc/wireguard dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(13/12/23 22:30:26.588:378) : avc: denied { read } for pid=1692 comm=wg-quick name=wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/12/23 22:30:26.589:379) : avc: denied { open } for pid=1692 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/12/23 22:30:26.593:380) : avc: denied { ioctl } for pid=1692 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 ioctlcmd=TCGETS scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1
所以我安装了policycoreutils-python-utilsSELINUX 工具并运行grep AVC /var/log/audit/audit.log | audit2allow -M wireguard以获取以下策略
# cat wireguard.te
module wireguard 1.0;
require {
type wireguard_t;
type virtiofs_t;
class dir { getattr search };
class file { getattr ioctl open read };
}
#============= wireguard_t ==============
allow wireguard_t virtiofs_t:dir { getattr search };
allow wireguard_t virtiofs_t:file { getattr ioctl open read };
但是,当我尝试安装它时,出现错误
# semodule -i wireguard.pp
libsemanage.semanage_direct_install_info: Overriding wireguard module at lower priority 100 with module at priority 400.
Failed to resolve typepermissive statement at /var/lib/selinux/targeted/tmp/modules/400/permissive_wireguard_t/cil:1
Failed to resolve AST
semodule: Failed!
我现在不知所措,因为我找到的每个帮助页面都说要这样做......任何帮助表示赞赏。
答案1
好的..非常简单的解决方案。事实证明,您不能将策略命名为与类型相同的名称!
因此,上述过程中要更改的行很简单:
grep AVC /var/log/audit/audit.log | audit2allow -M wireguard-policy
然后应用它
semodule -i wireguard-policy.pp