iptables: Ioctl cgroup dirs.

avc:  denied  { ioctl } for  pid=7230 comm="ip6tables" path="/sys/fs/cgroup" dev="cgroup2" ino=1
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>

2 files changed, 20 insertions, 0 deletions

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index cf075a22..fcdb49b6 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -772,6 +772,25 @@ interface(`fs_list_cgroup_dirs', `
 
 ########################################
 ## <summary>
+##	Ioctl cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_ioctl_cgroup_dirs', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:dir ioctl;
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
 ##	Delete cgroup directories.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 9e80a9ec..2004bb81 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -75,6 +75,7 @@ dev_dontaudit_write_mtrr(iptables_t)
 fs_getattr_xattr_fs(iptables_t)
 fs_search_auto_mountpoints(iptables_t)
 fs_list_inotifyfs(iptables_t)
+fs_ioctl_cgroup_dirs(iptables_t)
 
 mls_file_read_all_levels(iptables_t)