Skip to content

Add support for SELinux-enhanced systems #543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add support for SELinux-enhanced systems #543

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 17 additions & 2 deletions wireguard-install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,17 @@ function installQuestions() {
read -n1 -r -p "Press any key to continue..."
}

function installSELinuxRules() {
local osid
osid="$1"

if [[ $osid == 'fedora' ]]; then
echo "module se_wg 1.0;require { type wireguard_t; class capability { dac_override dac_read_search }; } allow wireguard_t self:capability { dac_override dac_read_search };" >/tmp/se_wg.te && checkmodule -M -m -o /tmp/se_wg.mod /tmp/se_wg.te && semodule_package -o /tmp/se_wg.pp -m /tmp/se_wg.mod && semodule -i /tmp/se_wg.pp
elif [[ $osid == 'centos' || $osid == 'almalinux' || $osid == 'rocky' ]]; then
echo "module se_wg 1.0; require {type wireguard_t; type cert_t; type firewalld_t; class capability { dac_override dac_read_search }; class dir search; class dbus send_msg;} allow wireguard_t cert_t:dir search; allow wireguard_t firewalld_t:dbus send_msg; allow wireguard_t self:capability { dac_override dac_read_search };" >/tmp/se_wg.te && checkmodule -M -m -o /tmp/se_wg.mod /tmp/se_wg.te && semodule_package -o /tmp/se_wg.pp -m /tmp/se_wg.mod && semodule -i /tmp/se_wg.pp
fi
}

function installWireGuard() {
# Run setup questions first
installQuestions
Expand All @@ -206,13 +217,15 @@ function installWireGuard() {
dnf install -y dnf-plugins-core
dnf copr enable -y jdoss/wireguard
dnf install -y wireguard-dkms
dnf install -y checkpolicy
fi
dnf install -y wireguard-tools iptables qrencode
elif [[ ${OS} == 'centos' ]] || [[ ${OS} == 'almalinux' ]] || [[ ${OS} == 'rocky' ]]; then
if [[ ${VERSION_ID} == 8* ]]; then
yum install -y epel-release elrepo-release
yum install -y kmod-wireguard
yum install -y qrencode # not available on release 9
yum install -y checkpolicy
fi
yum install -y wireguard-tools iptables
elif [[ ${OS} == 'oracle' ]]; then
Expand Down Expand Up @@ -282,6 +295,8 @@ PostDown = ip6tables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE" >
echo "net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf

installSELinuxRules ${OS}

if [[ ${OS} == 'alpine' ]]; then
sysctl -p /etc/sysctl.d/wg.conf
rc-update add sysctl
Expand Down Expand Up @@ -496,13 +511,13 @@ function uninstallWg() {
elif [[ ${OS} == 'debian' ]]; then
apt-get remove -y wireguard wireguard-tools qrencode
elif [[ ${OS} == 'fedora' ]]; then
dnf remove -y --noautoremove wireguard-tools qrencode
dnf remove -y --noautoremove wireguard-tools qrencode checkpolicy
if [[ ${VERSION_ID} -lt 32 ]]; then
dnf remove -y --noautoremove wireguard-dkms
dnf copr disable -y jdoss/wireguard
fi
elif [[ ${OS} == 'centos' ]] || [[ ${OS} == 'almalinux' ]] || [[ ${OS} == 'rocky' ]]; then
yum remove -y --noautoremove wireguard-tools
yum remove -y --noautoremove wireguard-tools checkpolicy
if [[ ${VERSION_ID} == 8* ]]; then
yum remove --noautoremove kmod-wireguard qrencode
fi
Expand Down
Loading