From 7f1a7b1cacd5d211077ce62fbb4e91890e65c820 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 12 Mar 2021 21:15:45 -0500
Subject: [PATCH] wireguard: allow running iptables

Wireguard can be configured to run iptables and other such networking
tools when bringing up/down interfaces. Also add a dontaudit for
searching kernel sysctls.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/wireguard.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/services/wireguard.te b/policy/modules/services/wireguard.te
index 5eb991051..c25d3c681 100644
--- a/policy/modules/services/wireguard.te
+++ b/policy/modules/services/wireguard.te
@@ -61,8 +61,13 @@ corecmd_exec_shell(wireguard_t)
 
 domain_use_interactive_fds(wireguard_t)
 
+# wg-quick can be configured to run iptables and other networking
+# config tools when bringing up/down the wg interfaces
+iptables_domtrans(wireguard_t)
+
 # wg-quick tries to read /proc/filesystem when running "stat" and "mv" commands
 kernel_dontaudit_read_system_state(wireguard_t)
+kernel_dontaudit_search_kernel_sysctl(wireguard_t)
 
 miscfiles_read_localization(wireguard_t)