시스템 서비스가 Firewall-cmd를 실행할 수 없습니다.

tag-icon tag-icon fedora systemd selinux wireguard
시스템 서비스가 Firewall-cmd를 실행할 수 없습니다.

저는 최근 Fedora-38 머신에 와이어가드를 설정하고 이를 사용하여 시작했는데 systemctl start wg-quick@wg0지금까지는 훌륭하게 작동하고 있습니다. 서비스를 시작하면 다음과 같은 오류 메시지가 나타납니다.

 wg-quick[943]: [#] firewall-cmd --add-service wireguard && firewall-cmd --add-masquerade
 wg-quick[979]: ERROR:dbus.proxies:Introspect error on :1.8:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message
 wg-quick[979]: Error: Sender is not authorized to send message

이것은 Wireguard 구성 파일입니다 /etc/wireguard/wg0.conf.

[Interface]
Address    = 192.168.2.1/24, fd00:7::1/48
PrivateKey = ...
PostUp     = firewall-cmd --add-service wireguard && firewall-cmd --add-masquerade
PostDown   = firewall-cmd --remove-service wireguard && firewall-cmd --remove-masquerade
ListenPort = 51820

[Peer]
PublicKey    = ...
PresharedKey = ...
AllowedIPs   = 192.168.2.2/32, fd00:7::2/48

<more peers>

다음 위치에 있는 서비스 파일입니다./usr/lib/systemd/system/[email protected]

[Unit]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
PartOf=wg-quick.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up %i
ExecStop=/usr/bin/wg-quick down %i
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity

[Install]
WantedBy=multi-user.target

편집: SELinux와 관련이 있습니다. 허용하도록 설정한 wireguard_t후 다음 semanage permissive -a wireguard_t에서 이러한 문제를 볼 수 있습니다 audit.log.

type=AVC msg=audit(1684943435.472:1978): avc: denied { search } for pid=27556 comm="firewall-cmd" name="pki" dev="dm-0" ino=8390592 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(1684943435.472:1979): avc: denied { read } for pid=27556 comm="firewall-cmd" name="openssl.cnf" dev="dm-0" ino=16812949 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1684943435.472:1980): avc: denied { open } for pid=27556 comm="firewall-cmd" path="/etc/pki/tls/openssl.cnf" dev="dm-0" ino=16812949 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1684943435.472:1981): avc: denied { getattr } for pid=27556 comm="firewall-cmd" path="/etc/pki/tls/openssl.cnf" dev="dm-0" ino=16812949 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1684943435.472:1982): avc: denied { read } for pid=27556 comm="firewall-cmd" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1684943435.472:1983): avc: denied { open } for pid=27556 comm="firewall-cmd" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1

관련 정보