Allow dumpstate to acquire xtables.lock

iptables recently changed its behavior to strictly require xtables.lock. dumpstate selinux policy must be updated to allow access. Bug: 37648320 Test: dumpstate succeeds with no avc: denied ... xtables.lock messages Change-Id: Ic7e243739f375a60fa14fe67fac910d31d978ffd (cherry picked from commit ca097979)

Allow dumpstate to acquire xtables.lock
iptables recently changed its behavior to strictly require xtables.lock. dumpstate selinux policy must be updated to allow access. Bug: 37648320 Test: dumpstate succeeds with no avc: denied ... xtables.lock messages Change-Id: Ic7e243739f375a60fa14fe67fac910d31d978ffd (cherry picked from commit ca097979)
5e901bbe · Joel Scherpelz · 327d7cb9 · 5e901bbe
Commit 5e901bbe authored 8 years ago by Joel Scherpelz
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -5,6 +5,9 @@ init_daemon_domain(dumpstate)
 # Execute and transition to the vdc domain
 domain_auto_trans(dumpstate, vdc_exec, vdc)
+# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
+allow dumpstate system_file:file lock;
 # TODO: deal with tmpfs_domain pub/priv split properly
 allow dumpstate dumpstate_tmpfs:file execute;