## Policy for logical volume management programs.
########################################
##
## Execute wireguard programs in the wireguard domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`wireguard_domtrans',`
gen_require(`
type wireguard_t, wireguard_exec_t;
type wireguard_script_t, wireguard_script_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, wireguard_exec_t, wireguard_t)
domtrans_pattern($1, wireguard_script_exec_t, wireguard_script_t)
')
########################################
##
## Execute wireguard programs in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`wireguard_exec',`
gen_require(`
type wireguard_exec_t;
')
corecmd_search_bin($1)
can_exec($1, wireguard_exec_t)
')
########################################
##
## Execute wireguard programs in the wireguard domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the Wireguard domain.
##
##
##
#
interface(`wireguard_run',`
gen_require(`
type wireguard_t, wireguard_script_t;
')
wireguard_domtrans($1)
role $2 types wireguard_t;
role $2 types wireguard_script_t;
')
########################################
##
## Send wireguard a null signal.
##
##
##
## Domain allowed access.
##
##
#
interface(`wireguard_signull',`
gen_require(`
type wireguard_t;
')
allow $1 wireguard_t:process signull;
')
########################################
##
## Read Wireguard configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`wireguard_read_config',`
gen_require(`
type wireguard_etc_t;
')
files_search_etc($1)
allow $1 wireguard_etc_t:dir list_dir_perms;
read_files_pattern($1, wireguard_etc_t, wireguard_etc_t)
')
########################################
##
## Manage Wireguard configuration files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`wireguard_manage_config',`
gen_require(`
type wireguard_etc_t;
')
files_search_etc($1)
manage_dirs_pattern($1, wireguard_etc_t, wireguard_etc_t)
manage_files_pattern($1, wireguard_etc_t, wireguard_etc_t)
')