Running https permissive could be Okay just for the sake of limited test. Never keep it that way for too long a time and never on a production machine. That being said, if you don't want to go through the message-bus solution, which sounds the more elegant to me, you may want to write your own SELinux policy module to allow httpd_t to transition, via sudo, to a brand new SELinux type/domain of your own, something named like php_wg_restarter_t. And you allow this new type/domain of yours to perform just the legitimate set of operations on the wigeguard service(s). Need that be, you may want to create a specific SELinux type for said wireguard service(s).