Allow dumpstate to acquire xtables.lock iptables recently changed its behavior to strictly require xtables.lock. dumpstate selinux policy must be updated to allow access. Bug: 37648320 Test: dumpstate succeeds with no avc: denied ... xtables.lock messages Change-Id: Ic7e243739f375a60fa14fe67fac910d31d978ffd (cherry picked from commit ca0979792fbac63bec49b673fa9c3d7910bf0189)

commit: 5e901bbe89f253a072b900962f33c77ed593be9c [log] [tgz]
author: Joel Scherpelz <jscherpelz@google.com> Tue Apr 25 11:53:51 2017 +0900
committer: Joel Scherpelz <jscherpelz@google.com> Tue Apr 25 16:22:11 2017 +0900
tree: 1c5fe3a37f87486eda1788850f0bc776f8f3ba64
parent: 327d7cb91073ae8138fdc8c8cd513f7176713cda [diff] [blame]
diff --git a/private/dumpstate.te b/private/dumpstate.te
index cbdfbc6..b8f8152 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te

@@ -5,6 +5,9 @@
 # Execute and transition to the vdc domain
 domain_auto_trans(dumpstate, vdc_exec, vdc)
 
+# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
+allow dumpstate system_file:file lock;
+
 # TODO: deal with tmpfs_domain pub/priv split properly
 allow dumpstate dumpstate_tmpfs:file execute;
commit	5e901bbe89f253a072b900962f33c77ed593be9c	[log] [tgz]
author	Joel Scherpelz <jscherpelz@google.com>	Tue Apr 25 11:53:51 2017 +0900
committer	Joel Scherpelz <jscherpelz@google.com>	Tue Apr 25 16:22:11 2017 +0900
tree	1c5fe3a37f87486eda1788850f0bc776f8f3ba64
parent	327d7cb91073ae8138fdc8c8cd513f7176713cda [diff] [blame]