nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

wireguard: allow running iptables

Browse Source 
Wireguard can be configured to run iptables and other such networking
tools when bringing up/down interfaces. Also add a dontaudit for
searching kernel sysctls.

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2021-03-12 21:15:45 -05:00
parent a1a9c33e88
commit 7f1a7b1cac
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
policy/modules/services/wireguard.te
View File

@ -61,8 +61,13 @@ corecmd_exec_shell(wireguard_t)
domain_use_interactive_fds(wireguard_t)
# wg-quick can be configured to run iptables and other networking
# config tools when bringing up/down the wg interfaces
iptables_domtrans(wireguard_t)
# wg-quick tries to read /proc/filesystem when running "stat" and "mv" commands
kernel_dontaudit_read_system_state(wireguard_t)
kernel_dontaudit_search_kernel_sysctl(wireguard_t)
miscfiles_read_localization(wireguard_t)