I'm trying to secure my WireGuard VPN server on AlmaLinux 9 using SELinux effectively, rather than just putting it in permissive mode or disabling it like I've done in the past. I've read through some SELinux documentation and made some configurations, but I'm unsure if everything is correct.
Here's what I've done so far: I ensured SELinux is enforcing and confirmed that in /etc/selinux/config. I've set the /etc/wireguard directory with the etc_t type using the command:
```bash
semanage fcontext -a -t etc_t '/etc/wireguard(/.*)?'
audit2allow -Rv /etc/wireguard
```
I'm questioning whether etc_t is suitable for WireGuard or if it should have its own specific context. I also opened the necessary port:
```bash
firewall-cmd --permanent --add-port=51820/udp
firewall-cmd --reload
```
Additionally, I've installed the basic SELinux tools:
```bash
dnf install policycoreutils policycoreutils-python-utils -y
```
I'm checking for AVC denials and creating modules as necessary when I see issues:
```bash
grep wireguard /var/log/audit/audit.log | audit2allow -M wireguard_local
semodule -i wireguard_local.pp
```
I'm mainly curious about a few things: Is etc_t the correct label for /etc/wireguard? Should I handle the wg0.conf and other configuration files differently? Am I missing anything essential for hardening my setup? Any help would be greatly appreciated!
4 Answers
Before using audit2allow, I recommend trying out audit2why first. Sometimes, a simple change with a SELinux boolean can solve the issue instead of creating more modules. Remember to use the least privilege principle!
Exactly! Audit2allow is helpful, but make sure you check if an SELinux boolean can fix the problem first.
Check out this link about SELinux policies for WireGuard: https://www.linuxcampus.net/documentation/selinux-policy/wireguard.html. There appears to be a policy module for it. While it can handle the `wg-quick` processes with `wireguard_t`, it doesn't protect your config files directly. You might need to create a custom module for your config files to secure them from other processes like Apache.
Absolutely! You can run `sudo seinfo -t | grep wireguard` to see which types exist. Just ensure you're properly labeling any config files to maintain their security.
First things first, you need to check what context the WireGuard processes are running under. Once you know that, make sure it has the necessary permissions to access the files it needs and perform required actions. If that's all good, SELinux is already doing its job by limiting what other services can access your system.
If you're looking for even tighter security, think about setting custom types for your WireGuard keys and processes. This way, if something gets compromised (like an Apache server), it won't have access to your WireGuard keys. It's not overly complex once you get the hang of it, but the documentation can be a bit overwhelming. Definitely look into RHEL's SELinux docs or some of Dan Walsh's talks for more in-depth guidance!
Not everything in /etc is labeled with etc_t. You might want to check specific configurations—run `ausearch -i -f /etc/wireguard` to see if anything needs to be adjusted.
If you find the right label for /etc/wireguard, consider removing the audit2allow module. It can be too permissive and lead to potential security issues.