adrien/ansible-role-wireguard
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add selinux authorizations for futur application

Browse source
This commit is contained in:
Adrien Reslinger 2024-09-15 01:11:34 +02:00
parent cacef647a9
commit 9c047cd19a
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
3 changed files with 29 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
files/selinux_wireguard_firewall-cmd.sh Executable file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env bash
systemctl stop wg-quick@wg0.service
semanage permissive -e wireguard_t
systemctl start wg-quick@wg0.service
grep wireguard /var/log/audit/audit.log | audit2allow -M wireguard_firewall-cmd
systemctl stop wg-quick@wg0.service
semodule -i wireguard_firewall-cmd.pp
semanage permissive -d wireguard_t
semodule -l | grep -c wireguard_firewall-cmd
systemctl start wg-quick@wg0.service

BIN
files/wireguard_firewall-cmd.pp Normal file
View file

Binary file not shown.

19
files/wireguard_firewall-cmd.te Normal file
View file

@ -0,0 +1,19 @@
module wireguard_firewall-cmd 1.0;
require {
type cert_t;
type firewalld_t;
type wireguard_t;
class dir { getattr open read search };
class file { getattr open read };
class dbus send_msg;
}
#============= firewalld_t ==============
allow firewalld_t wireguard_t:dbus send_msg;
#============= wireguard_t ==============
allow wireguard_t cert_t:dir { getattr open read search };
allow wireguard_t cert_t:file { getattr open read };
allow wireguard_t firewalld_t:dbus send_msg;