Allow wireguard to setup DNS using dns-hatchet (bsc#1243148)

policy/modules/contrib/wireguard.te

@@ -41,6 +41,33 @@ domain_use_interactive_fds(wireguard_t)
 
 files_read_etc_files(wireguard_t)
 
+# XXX: new DNS piece
+allow wireguard_t self:capability sys_admin;
+
+sysnet_mount_file(wireguard_t)
+
+# use fs_tmpfs_filetrans() instead of chcon on resolv.conf
+# XXX: new dontaudit interface below
+sysnet_dontaudit_file_relabelto(wireguard_t)
+selinux_dontaudit_validate_context(wireguard_t)
+
+sysnet_create_config(wireguard_t)
+sysnet_write_config(wireguard_t)
+
+fs_tmpfs_filetrans(wireguard_t, net_conf_t, file, "resolv.conf")
+
+fs_all_mount_fs_perms_tmpfs(wireguard_t)
+fs_mounton_tmpfs(wireguard_t)
+fs_manage_ramfs_files(wireguard_t)
+storage_rw_fixed_disk_blk_dev(wireguard_t)
+
+optional_policy(`
+	mount_exec(wireguard_t)
+	mount_manage_pid_files(wireguard_t)
+')
+
+files_mounton_rootfs(wireguard_t)
+
 optional_policy(`
 	auth_read_passwd(wireguard_t)
 ')

policy/modules/kernel/filesystem.if

@@ -5772,6 +5772,24 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
 	dontaudit $1 tmpfs_t:dir getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit relabelfrom attempts on files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_relabelfrom_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:file relabelfrom;
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of tmpfs directories.

policy/modules/system/sysnetwork.if

@@ -1316,3 +1316,39 @@ interface(`sysnet_filetrans_cloud_net_conf',`
 
 	files_pid_filetrans($1, net_conf_t, dir, "cloud-init")
 ')
+
+#######################################
+## <summary>
+##	Dontaudit relabelto network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_dontaudit_file_relabelto',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+    dontaudit $1 net_conf_t:file { relabelto };
+')
+
+#######################################
+## <summary>
+##	Mount network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_mount_file',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+    allow $1 net_conf_t:file mounton;
+')