[selinux-policy: 2547/3172] Iptables patch from Dan Walsh.

[Daniel J Walsh]

commit 4fbcd778def09a63cdd0a3d75f74942808e43807
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Mar 18 08:10:21 2010 -0400

    Iptables patch from Dan Walsh.

 policy/modules/admin/shorewall.if |    2 +-
 policy/modules/system/iptables.te |    8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
index b151a1f..0948921 100644
--- a/policy/modules/admin/shorewall.if
+++ b/policy/modules/admin/shorewall.if
@@ -107,7 +107,7 @@ interface(`shorewall_read_lib_files',`
 #
 interface(`shorewall_rw_lib_files',`
         gen_require(`
-                type shorewall_t;
+                type shorewall_var_lib_t;
        ')
 
         files_search_var_lib($1)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 7626034..d83532b 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,5 +1,5 @@
 
-policy_module(iptables, 1.10.1)
+policy_module(iptables, 1.10.2)
 
 ########################################
 #
@@ -30,6 +30,7 @@ files_pid_file(iptables_var_run_t)
 
 allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
 dontaudit iptables_t self:capability sys_tty_config;
+allow iptables_t self:fifo_file rw_fifo_file_perms;
 allow iptables_t self:process { sigchld sigkill sigstop signull signal };
 allow iptables_t self:rawip_socket create_socket_perms;
 
@@ -53,6 +54,7 @@ kernel_read_modprobe_sysctls(iptables_t)
 kernel_use_fds(iptables_t)
 
 corenet_relabelto_all_packets(iptables_t)
+corenet_dontaudit_rw_tun_tap_dev(iptables_t)
 
 dev_read_sysfs(iptables_t)
 
@@ -122,5 +124,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	shorewall_rw_lib_files(iptables_t)
+')
+
+optional_policy(`
 	udev_read_db(iptables_t)
 ')