Wireguard is denied by selinux

ksj6 · June 29, 2025, 6:19pm

ausearch -i

type=AVC msg=audit(06/29/2025 20:01:30.929:169) : avc:  denied  { getattr } for  pid=22891 comm=bash path=/usr/bin/mount dev="sda2" ino=12073 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0 
type=AVC msg=audit(06/29/2025 20:01:30.929:170) : avc:  denied  { getattr } for  pid=22891 comm=bash path=/usr/bin/mount dev="sda2" ino=12073 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0 
type=AVC msg=audit(06/29/2025 20:06:29.978:176) : avc:  denied  { getattr } for  pid=23877 comm=bash path=/usr/bin/mount dev="sda2" ino=12073 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:29.978:177) : avc:  denied  { execute } for  pid=23877 comm=bash name=mount dev="sda2" ino=12073 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:29.978:178) : avc:  denied  { read } for  pid=23877 comm=bash name=mount dev="sda2" ino=12073 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:29.978:179) : avc:  denied  { open } for  pid=23883 comm=bash path=/usr/bin/mount dev="sda2" ino=12073 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:29.978:180) : avc:  denied  { execute_no_trans } for  pid=23883 comm=bash path=/usr/bin/mount dev="sda2" ino=12073 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:29.981:181) : avc:  denied  { getattr } for  pid=23884 comm=mount path=/run/mount/utab dev="tmpfs" ino=1016 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:29.981:182) : avc:  denied  { read write } for  pid=23884 comm=mount name=utab dev="tmpfs" ino=1016 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:29.981:183) : avc:  denied  { mount } for  pid=23884 comm=mount name=/ dev="tmpfs" ino=1 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 
type=AVC msg=audit(06/29/2025 20:06:29.981:184) : avc:  denied  { mounton } for  pid=23884 comm=mount path=/dev/shm dev="tmpfs" ino=1 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(06/29/2025 20:06:29.982:185) : avc:  denied  { create } for  pid=23885 comm=bash name=resolv.conf scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:29.982:186) : avc:  denied  { write open } for  pid=23885 comm=bash path=/dev/shm/resolv.conf dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:29.982:187) : avc:  denied  { getattr } for  pid=23885 comm=cat path=/dev/shm/resolv.conf dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:30.004:188) : avc:  denied  { write } for  pid=23886 comm=chcon name=context dev="selinuxfs" ino=5 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:30.004:189) : avc:  denied  { check_context } for  pid=23886 comm=chcon scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1 
type=AVC msg=audit(06/29/2025 20:06:30.004:190) : avc:  denied  { getattr } for  pid=23886 comm=chcon path=/dev/shm/resolv.conf dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:30.004:191) : avc:  denied  { relabelfrom } for  pid=23886 comm=chcon name=resolv.conf dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:30.004:192) : avc:  denied  { relabelto } for  pid=23886 comm=chcon name=resolv.conf dev="tmpfs" ino=2 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:30.006:193) : avc:  denied  { getattr } for  pid=23888 comm=mount path=/dev/dm-0 dev="devtmpfs" ino=743 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:30.006:194) : avc:  denied  { search } for  pid=23888 comm=mount name=swap dev="sda3" ino=256 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(06/29/2025 20:06:30.007:195) : avc:  denied  { open } for  pid=23888 comm=mount path=/run/mount/utab dev="tmpfs" ino=1016 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:mount_var_run_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/29/2025 20:06:30.009:196) : avc:  denied  { mounton } for  pid=23877 comm=mount path=/etc/resolv.conf dev="sda2" ino=1107 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1

errors from wireguard:

Jun 29 18:07:35 server-ksj wg-quick[2026]: [#] ip link add wg0-server type wireguard
Jun 29 18:07:35 server-ksj wg-quick[2026]: [#] wg setconf wg0-server /dev/fd/63
Jun 29 18:07:35 server-ksj wg-quick[2026]: [#] ip -4 address add 10.0.0.2/24 dev wg0-server
Jun 29 18:07:35 server-ksj wg-quick[2026]: [#] ip link set mtu 1420 up dev wg0-server
Jun 29 18:07:35 server-ksj wg-quick[2026]: [#] mount `8.8.8.8' /etc/resolv.conf
Jun 29 18:07:35 server-ksj wg-quick[2115]: unshare: unshare failed: Operation not permitted
Jun 29 18:07:35 server-ksj wg-quick[2026]: [#] ip link delete dev wg0-server

I fixed this above by


but then there is more of them (and more in audit.log)
ausearch -m avc -c unshare | audit2allow -M wireguard_unshare
semodule -i wireguard_unshare.pp

Jun 29 20:01:30 server-ksj wg-quick[22846]: [#] ip link add wg0-server type wireguard
Jun 29 20:01:30 server-ksj wg-quick[22846]: [#] wg setconf wg0-server /dev/fd/63
Jun 29 20:01:30 server-ksj wg-quick[22846]: [#] ip -4 address add 10.0.0.2/24 dev wg0-server
Jun 29 20:01:30 server-ksj wg-quick[22846]: [#] ip link set mtu 1420 up dev wg0-server
Jun 29 20:01:30 server-ksj wg-quick[22846]: [#] mount `8.8.8.8' /etc/resolv.conf
Jun 29 20:01:30 server-ksj wg-quick[22898]: bash: line 3: mount: command not found
Jun 29 20:01:30 server-ksj wg-quick[22846]: [#] ip link delete dev wg0-server

I think, there is something wrong with permissions to wireguard, but I’m not sure how to check it.

arvidjaar · June 30, 2025, 4:04am

Open bug report as instructed on Portal:SELinux - openSUSE Wiki

ksj6 · June 30, 2025, 8:25am

I saw there is already similar bug reported:
https://bugzilla.opensuse.org/show_bug.cgi?id=1243148
so I reported cockpit instead, which I didn’t find there. Thanks

system · July 7, 2025, 8:26am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.