From df3d1a93a1126c15fe540a48515c604217f3202e Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Tue, 25 Feb 2020 20:15:44 +0800
Subject: [PATCH] access to iptables run file

Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
 policy/modules/contrib/firewalld.te |  3 +++
 policy/modules/system/iptables.if   | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 8b78b37..f1cbf0a 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -139,3 +139,6 @@ optional_policy(`
 optional_policy(`
 	networkmanager_read_state(firewalld_t)
 ')
+
+# avc for openEuler
+iptables_var_run_file(firewalld_t)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 5e1a4a5..6bdd8cf 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -221,3 +221,21 @@ interface(`iptables_read_var_run',`
 	allow $1 iptables_var_run_t:dir list_dir_perms;
 	read_files_pattern($1, iptables_var_run_t, iptables_var_run_t)
 ')
+
+#####################################
+## <summary>
+##      Access to iptables run files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`iptables_var_run_file',`
+gen_require(`
+type iptables_var_run_t;
+')
+
+allow $1 iptables_var_run_t:file { lock open read };
+')
-- 
1.8.3.1