From 4fbcd778def09a63cdd0a3d75f74942808e43807 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mar 18 2010 12:10:21 +0000
Subject: Iptables patch from Dan Walsh.


---

diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
index b151a1f..0948921 100644
--- a/policy/modules/admin/shorewall.if
+++ b/policy/modules/admin/shorewall.if
@@ -107,7 +107,7 @@ interface(`shorewall_read_lib_files',`
 #
 interface(`shorewall_rw_lib_files',`
         gen_require(`
-                type shorewall_t;
+                type shorewall_var_lib_t;
        ')
 
         files_search_var_lib($1)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 7626034..d83532b 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,5 +1,5 @@
 
-policy_module(iptables, 1.10.1)
+policy_module(iptables, 1.10.2)
 
 ########################################
 #
@@ -30,6 +30,7 @@ files_pid_file(iptables_var_run_t)
 
 allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
 dontaudit iptables_t self:capability sys_tty_config;
+allow iptables_t self:fifo_file rw_fifo_file_perms;
 allow iptables_t self:process { sigchld sigkill sigstop signull signal };
 allow iptables_t self:rawip_socket create_socket_perms;
 
@@ -53,6 +54,7 @@ kernel_read_modprobe_sysctls(iptables_t)
 kernel_use_fds(iptables_t)
 
 corenet_relabelto_all_packets(iptables_t)
+corenet_dontaudit_rw_tun_tap_dev(iptables_t)
 
 dev_read_sysfs(iptables_t)
 
@@ -122,5 +124,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	shorewall_rw_lib_files(iptables_t)
+')
+
+optional_policy(`
 	udev_read_db(iptables_t)
 ')