selinux-policy/access-to-iptables-run-file.patch

From df3d1a93a1126c15fe540a48515c604217f3202e Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Tue, 25 Feb 2020 20:15:44 +0800
Subject: [PATCH] access to iptables run file

Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
 policy/modules/contrib/firewalld.te |  3 +++
 policy/modules/system/iptables.if   | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 8b78b37..f1cbf0a 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -139,3 +139,6 @@ optional_policy(`
 optional_policy(`
 	networkmanager_read_state(firewalld_t)
 ')
+
+# avc for openEuler
+iptables_var_run_file(firewalld_t)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 5e1a4a5..6bdd8cf 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -221,3 +221,21 @@ interface(`iptables_read_var_run',`
 	allow $1 iptables_var_run_t:dir list_dir_perms;
 	read_files_pattern($1, iptables_var_run_t, iptables_var_run_t)
 ')
+
+#####################################
+## <summary>
+##      Access to iptables run files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`iptables_var_run_file',`
+gen_require(`
+type iptables_var_run_t;
+')
+
+allow $1 iptables_var_run_t:file { lock open read };
+')
-- 
1.8.3.1
update avc for openEuler 2020-02-26 14:13:26 +08:00			`From df3d1a93a1126c15fe540a48515c604217f3202e Mon Sep 17 00:00:00 2001`
			`From: guoxiaoqi <guoxiaoqi2@huawei.com>`
			`Date: Tue, 25 Feb 2020 20:15:44 +0800`
			`Subject: [PATCH] access to iptables run file`

			`Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>`
			`---`
			`policy/modules/contrib/firewalld.te \| 3 +++`
			`policy/modules/system/iptables.if \| 18 ++++++++++++++++++`
			`2 files changed, 21 insertions(+)`

			`diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te`
			`index 8b78b37..f1cbf0a 100644`
			`--- a/policy/modules/contrib/firewalld.te`
			`+++ b/policy/modules/contrib/firewalld.te`
			@@ -139,3 +139,6 @@ optional_policy(`
			optional_policy(`
			`networkmanager_read_state(firewalld_t)`
			`')`
			`+`
			`+# avc for openEuler`
			`+iptables_var_run_file(firewalld_t)`
			`diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if`
			`index 5e1a4a5..6bdd8cf 100644`
			`--- a/policy/modules/system/iptables.if`
			`+++ b/policy/modules/system/iptables.if`
			@@ -221,3 +221,21 @@ interface(`iptables_read_var_run',`
			`allow $1 iptables_var_run_t:dir list_dir_perms;`
			`read_files_pattern($1, iptables_var_run_t, iptables_var_run_t)`
			`')`
			`+`
			`+#####################################`
			`+## <summary>`
			`+## Access to iptables run files.`
			`+## </summary>`
			`+## <param name="domain">`
			`+## <summary>`
			`+## Domain allowed access.`
			`+## </summary>`
			`+## </param>`
			`+#`
			+interface(`iptables_var_run_file',`
			+gen_require(`
			`+type iptables_var_run_t;`
			`+')`
			`+`
			`+allow $1 iptables_var_run_t:file { lock open read };`
			`+')`
			`--`
			`1.8.3.1`