diff --git a/files/selinux_wireguard_firewall-cmd.sh b/files/selinux_wireguard_firewall-cmd.sh
new file mode 100755
index 0000000..7a7bf5a
--- /dev/null
+++ b/files/selinux_wireguard_firewall-cmd.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+systemctl stop wg-quick@wg0.service
+semanage permissive -e wireguard_t
+systemctl start wg-quick@wg0.service
+grep wireguard /var/log/audit/audit.log | audit2allow -M wireguard_firewall-cmd
+systemctl stop wg-quick@wg0.service
+semodule -i wireguard_firewall-cmd.pp
+semanage permissive -d wireguard_t
+semodule -l | grep -c wireguard_firewall-cmd
+systemctl start wg-quick@wg0.service
diff --git a/files/wireguard_firewall-cmd.pp b/files/wireguard_firewall-cmd.pp
new file mode 100644
index 0000000..afe3e0e
Binary files /dev/null and b/files/wireguard_firewall-cmd.pp differ
diff --git a/files/wireguard_firewall-cmd.te b/files/wireguard_firewall-cmd.te
new file mode 100644
index 0000000..2bd8914
--- /dev/null
+++ b/files/wireguard_firewall-cmd.te
@@ -0,0 +1,19 @@
+
+module wireguard_firewall-cmd 1.0;
+
+require {
+	type cert_t;
+	type firewalld_t;
+	type wireguard_t;
+	class dir { getattr open read search };
+	class file { getattr open read };
+	class dbus send_msg;
+}
+
+#============= firewalld_t ==============
+allow firewalld_t wireguard_t:dbus send_msg;
+
+#============= wireguard_t ==============
+allow wireguard_t cert_t:dir { getattr open read search };
+allow wireguard_t cert_t:file { getattr open read };
+allow wireguard_t firewalld_t:dbus send_msg;