Merge pull request #408 from ffontaine/master

policy/modules/services/wireguard.te

@@ -61,10 +61,6 @@ corecmd_exec_shell(wireguard_t)
 
 domain_use_interactive_fds(wireguard_t)
 
-# wg-quick can be configured to run iptables and other networking
-# config tools when bringing up/down the wg interfaces
-iptables_domtrans(wireguard_t)
-
 # wg-quick tries to read /proc/filesystem when running "stat" and "mv" commands
 kernel_dontaudit_read_system_state(wireguard_t)
 kernel_dontaudit_search_kernel_sysctl(wireguard_t)
@@ -75,3 +71,9 @@ miscfiles_read_localization(wireguard_t)
 sysnet_run_ifconfig(wireguard_t, wireguard_roles)
 
 userdom_use_user_terminals(wireguard_t)
+
+# wg-quick can be configured to run iptables and other networking
+# config tools when bringing up/down the wg interfaces
+optional_policy(`
+	iptables_domtrans(wireguard_t)
+')