From 9c047cd19aaf6cd820ffb5ef9341f501d19c894e Mon Sep 17 00:00:00 2001
From: Adrien Reslinger <adrien@reslinger.net>
Date: Sun, 15 Sep 2024 01:11:34 +0200
Subject: [PATCH] Add selinux authorizations for futur application

---
 files/selinux_wireguard_firewall-cmd.sh |  10 ++++++++++
 files/wireguard_firewall-cmd.pp         | Bin 0 -> 1554 bytes
 files/wireguard_firewall-cmd.te         |  19 +++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100755 files/selinux_wireguard_firewall-cmd.sh
 create mode 100644 files/wireguard_firewall-cmd.pp
 create mode 100644 files/wireguard_firewall-cmd.te

diff --git a/files/selinux_wireguard_firewall-cmd.sh b/files/selinux_wireguard_firewall-cmd.sh
new file mode 100755
index 0000000..7a7bf5a
--- /dev/null
+++ b/files/selinux_wireguard_firewall-cmd.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+systemctl stop wg-quick@wg0.service
+semanage permissive -e wireguard_t
+systemctl start wg-quick@wg0.service
+grep wireguard /var/log/audit/audit.log | audit2allow -M wireguard_firewall-cmd
+systemctl stop wg-quick@wg0.service
+semodule -i wireguard_firewall-cmd.pp
+semanage permissive -d wireguard_t
+semodule -l | grep -c wireguard_firewall-cmd
+systemctl start wg-quick@wg0.service
diff --git a/files/wireguard_firewall-cmd.pp b/files/wireguard_firewall-cmd.pp
new file mode 100644
index 0000000000000000000000000000000000000000..afe3e0e3585a02e8abe375fab31b38a991aea2e4
GIT binary patch
literal 1554
zcmb`HJx;?w5QR-ZfJ6Ze)VTl%Zm<m<R2;x^;!Oz34{~gUf-4}-O9k`Ues~lT1qnu)
zzc+7Z)@ys;KVLugk|aUTOy4X&HUDtiznjdfm;U`CuconQ(77qJV^ie9bTujBxXOw=
z9a*%>rqj#eEZ?`v&DC`<w=R^>gSJ3pVL+qFG#;5}&^VS^Sr$;CEuQ0?7<v)2TrJ4;
z2o@&!pjxs=uw|U*>1;WMgMhJ4Yx7C5Htn#jE@M^<AK`79t$CVbv}7@Oio-H30!b@D
zfq5Sb_Lz?0#ER?B<aynhmuyyB!6TuzjTy$GOiLQ_5Mojbm{#=a^0XAR&8vlm!Q+gS
z2a8eVj736iJ423&r}qKoh5Dwm2!`)k3&-=s2lE1s^4WV%aQU|V!SOu5-b&vB-ZRz5
zMj^DSHNTxfA0*VaGxX6}b!Za>2N0v0%bt)>+r|*1yEsOvCA1#rWA;Oisu$;sgjR+7
zeNYoF4<-o;%>P&HTK*~InR%C7W$axF#@(bG57+J>4-s>%=sM|HtU7f5W_Jasgy%YF
QetD0w!2ROBWR)NC1;Nr?*Z=?k

literal 0
HcmV?d00001

diff --git a/files/wireguard_firewall-cmd.te b/files/wireguard_firewall-cmd.te
new file mode 100644
index 0000000..2bd8914
--- /dev/null
+++ b/files/wireguard_firewall-cmd.te
@@ -0,0 +1,19 @@
+
+module wireguard_firewall-cmd 1.0;
+
+require {
+	type cert_t;
+	type firewalld_t;
+	type wireguard_t;
+	class dir { getattr open read search };
+	class file { getattr open read };
+	class dbus send_msg;
+}
+
+#============= firewalld_t ==============
+allow firewalld_t wireguard_t:dbus send_msg;
+
+#============= wireguard_t ==============
+allow wireguard_t cert_t:dir { getattr open read search };
+allow wireguard_t cert_t:file { getattr open read };
+allow wireguard_t firewalld_t:dbus send_msg;