Hello,
herewith I'm requesting a bug fix in the bash script 'wg-quick'. When
'DNS' is set in the interfaces configuration file 'wg-quick' will mount
the modified 'resolv.conf' with improper set SELinux labels which leads
to services not being able to access the 'resolv.conf' correctly. In my
test case it was 'syslogd_t' not being able to do the syscalls 'getattr
read' because the normal mount will be labeled as
'unconfined_u:object_r:user_tmp_t:s0' when i execute the script
manually. The fix would be easily done by adding the correct mount
labels as mount option:
mount -o context="system_u:object_r:net_conf_t:s0" -t tmpfs none /dev/shm
Greetings
Silvan
*** /bin/wg-quick 2018-06-13 19:29:40.000000000 +0200
--- wg-quick 2018-06-16 21:58:05.020633893 +0200
***************
*** 331,337 ****
} | unshare -m --propagation shared bash -c "$(cat <<-_EOF
set -e
mount --make-private /dev/shm
! mount -t tmpfs none /dev/shm
cat > /dev/shm/resolv.conf
mount -o remount,ro /dev/shm
mount -o bind,ro /dev/shm/resolv.conf /etc/resolv.conf
--- 331,337 ----
} | unshare -m --propagation shared bash -c "$(cat <<-_EOF
set -e
mount --make-private /dev/shm
! mount -o context="system_u:object_r:net_conf_t:s0" -t
tmpfs none /dev/shm
cat > /dev/shm/resolv.conf
mount -o remount,ro /dev/shm
mount -o bind,ro /dev/shm/resolv.conf /etc/resolv.conf
_______________________________________________
WireGuard mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/wireguard
