Christian's questions

我有一个作为虚拟机运行的 Fedora Server v39（最小安装）（主机也是 Fedora Server v39）。

我已使用 VM 与 VM 共享主机目录virtiofs并将其映射到/etc/wireguardVM 中。

drwx------. 4 root root system_u:object_r:virtiofs_t:s0                   109 Dec 13 22:03 wireguard

我已经安装了wireguard从 读取它的配置/etc/wireguard，除了 SELINUX 被阻止

# ausearch -m AVC -i
----
type=AVC msg=audit(13/12/23 21:19:26.166:194) : avc:  denied  { search } for  pid=1151 comm=wg-quick name=/ dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=0 
----
type=AVC msg=audit(13/12/23 22:00:40.880:204) : avc:  denied  { search } for  pid=1250 comm=wg-quick name=/ dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=0 
----
type=AVC msg=audit(13/12/23 22:01:47.028:208) : avc:  denied  { search } for  pid=1265 comm=wg-quick name=/ dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(13/12/23 22:01:47.028:209) : avc:  denied  { getattr } for  pid=1265 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13/12/23 22:01:47.033:210) : avc:  denied  { getattr } for  pid=1269 comm=stat path=/etc/wireguard dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(13/12/23 22:01:47.034:211) : avc:  denied  { read } for  pid=1265 comm=wg-quick name=wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13/12/23 22:01:47.034:212) : avc:  denied  { open } for  pid=1265 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13/12/23 22:01:47.035:213) : avc:  denied  { ioctl } for  pid=1265 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 ioctlcmd=TCGETS scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13/12/23 22:30:26.574:372) : avc:  denied  { search } for  pid=1692 comm=wg-quick name=/ dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(13/12/23 22:30:26.574:373) : avc:  denied  { getattr } for  pid=1692 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13/12/23 22:30:26.584:376) : avc:  denied  { search } for  pid=1702 comm=stat name=/ dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(13/12/23 22:30:26.588:377) : avc:  denied  { getattr } for  pid=1704 comm=stat path=/etc/wireguard dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(13/12/23 22:30:26.588:378) : avc:  denied  { read } for  pid=1692 comm=wg-quick name=wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13/12/23 22:30:26.589:379) : avc:  denied  { open } for  pid=1692 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13/12/23 22:30:26.593:380) : avc:  denied  { ioctl } for  pid=1692 comm=wg-quick path=/etc/wireguard/wg0.conf dev="virtiofs" ino=981467299 ioctlcmd=TCGETS scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=file permissive=1

所以我安装了policycoreutils-python-utilsSELINUX 工具并运行grep AVC /var/log/audit/audit.log | audit2allow -M wireguard以获取以下策略

# cat wireguard.te

module wireguard 1.0;

require {
    type wireguard_t;
    type virtiofs_t;
    class dir { getattr search };
    class file { getattr ioctl open read };
}

#============= wireguard_t ==============
allow wireguard_t virtiofs_t:dir { getattr search };
allow wireguard_t virtiofs_t:file { getattr ioctl open read };

但是，当我尝试安装它时，出现错误

# semodule -i wireguard.pp
libsemanage.semanage_direct_install_info: Overriding wireguard module at lower priority 100 with module at priority 400.
Failed to resolve typepermissive statement at /var/lib/selinux/targeted/tmp/modules/400/permissive_wireguard_t/cil:1
Failed to resolve AST
semodule:  Failed!

我现在不知所措，因为我找到的每个帮助页面都说要这样做......任何帮助表示赞赏。

我有一个使用 libvirt 运行的虚拟 Fedora 服务器，并使用virtiofs.

hostshare /etc/wireguard virtiofs rw,relatime 0 0

来宾中的目录被映射到，/etc/wireguard并且主机和来宾对共享文件夹的权限都是root:root (id:0)。

当我在此目录中创建wg0.conf文件时，systemd 服务失败。

Dec 11 12:59:11 vpn-server systemd[1]: Starting [email protected] - WireGuard via wg-quick(8) for wg0...
Dec 11 12:59:11 vpn-server wg-quick[889]: wg-quick: `/etc/wireguard/wg0.conf' does not exist
Dec 11 12:59:11 vpn-server systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Dec 11 12:59:11 vpn-server systemd[1]: [email protected]: Failed with result 'exit-code'.
Dec 11 12:59:11 vpn-server systemd[1]: Failed to start [email protected] - WireGuard via wg-quick(8) for wg0.

但是，如果我运行wg-quick up wg0，则wireguard 启动。

# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip -6 address add fdf0:426a:74ae::1/64 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -t nat -I POSTROUTING -o enp1s0 -j MASQUERADE
[#] ip6tables -t nat -I POSTROUTING -o enp1s0 -j MASQUERADE

我已经通过将挂载添加到服务中的参数来检查 systemd 服务正在等待挂载存在After，但是，即使尝试在系统启动后手动启动它并且我确认共享可以访问，该服务仍然存在无法启动。

任何人都可以帮助我意识到出了什么问题吗？

看起来 systemd 服务没有看到挂载点

Dec 11 13:21:50 vpn-server mount[1326]: /dev/mapper/fedora-root on / type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
Dec 11 13:21:50 vpn-server mount[1326]: devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=4096k,nr_inodes=368069,mode=755,inode64)
Dec 11 13:21:50 vpn-server mount[1326]: tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel,inode64)
Dec 11 13:21:50 vpn-server mount[1326]: devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
Dec 11 13:21:50 vpn-server mount[1326]: sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server mount[1326]: securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate,memory_recursiveprot)
Dec 11 13:21:50 vpn-server mount[1326]: pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server mount[1326]: bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
Dec 11 13:21:50 vpn-server mount[1326]: configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,size=594992k,nr_inodes=819200,mode=755,inode64)
Dec 11 13:21:50 vpn-server mount[1326]: selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=34,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=3915)
Dec 11 13:21:50 vpn-server mount[1326]: hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,seclabel,pagesize=2M)
Dec 11 13:21:50 vpn-server mount[1326]: mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server mount[1326]: debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server mount[1326]: tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server mount[1326]: fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: hostshare on /etc/wireguard type virtiofs (rw,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel,nr_inodes=1048576,inode64)
Dec 11 13:21:50 vpn-server mount[1326]: /dev/vda2 on /boot type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
Dec 11 13:21:50 vpn-server mount[1326]: tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=297496k,nr_inodes=74374,mode=700,uid=1000,gid=1000,inode64)
Dec 11 13:21:50 vpn-server mount[1326]: binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: tracefs on /sys/kernel/debug/tracing type tracefs (rw,nosuid,nodev,noexec,relatime,seclabel)

Dec 11 13:21:50 vpn-server wg-quick[1327]: wg-quick: `/etc/wireguard/wg0.conf' does not exist
Dec 11 13:21:50 vpn-server systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE

更新

正如 @MarcusMüller 所指出的，看起来像是一个 selinux 问题

Dec 11 13:21:50 vpn-server audit[1327]: AVC avc:  denied  { search } for  pid=1327 comm="wg-quick" name="/" dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=0

好消息是，如果我将 selinux 置于宽容模式(setenforce 0)，wg 服务就会启动。