From ca0979792fbac63bec49b673fa9c3d7910bf0189 Mon Sep 17 00:00:00 2001
From: Joel Scherpelz <jscherpelz@google.com>
Date: Tue, 25 Apr 2017 11:53:51 +0900
Subject: [PATCH] Allow dumpstate to acquire xtables.lock

iptables recently changed its behavior to strictly require xtables.lock.
dumpstate selinux policy must be updated to allow access.

Bug: 37648320
Test: dumpstate succeeds with no avc: denied ... xtables.lock messages
Change-Id: Ic7e243739f375a60fa14fe67fac910d31d978ffd
---
 private/dumpstate.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/private/dumpstate.te b/private/dumpstate.te
index cbdfbc6d5..b8f81526c 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -5,6 +5,9 @@ init_daemon_domain(dumpstate)
 # Execute and transition to the vdc domain
 domain_auto_trans(dumpstate, vdc_exec, vdc)
 
+# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
+allow dumpstate system_file:file lock;
+
 # TODO: deal with tmpfs_domain pub/priv split properly
 allow dumpstate dumpstate_tmpfs:file execute;
 
-- 
GitLab