selinux-policy/backport-Allow-firewalld-read-the-contents-of-the-sysfs-files.patch

From 6c9ef9467ee7e7c9d569a102b05869419409b15e Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 27 Jun 2022 09:17:43 +0200
Subject: [PATCH] Allow firewalld read the contents of the sysfs filesystem

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6c9ef9467ee7e7c9d569a102b05869419409b15e
Conflict: NA

Addresses the following AVC denial which is triggered on the firewalld
service start when it tries to read /sys/devices/system/cpu/possible:

type=AVC msg=audit(1656139734.292:232): avc:  denied  { read } for  pid=1396 comm="firewalld" name="possible" dev="sysfs" ino=46 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0

Resolves: rhbz#2101062
Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/contrib/firewalld.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 62cb02c..1c2d25e 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -81,7 +81,7 @@ corecmd_exec_bin(firewalld_t)
 corecmd_exec_shell(firewalld_t)
 
 dev_read_urand(firewalld_t)
-dev_search_sysfs(firewalld_t)
+dev_read_sysfs(firewalld_t)
 
 domain_use_interactive_fds(firewalld_t)
 domain_obj_id_change_exemption(firewalld_t)
-- 
1.8.3.1