iptables: Ioctl cgroup dirs.

avc:  denied  { ioctl } for  pid=7230 comm="ip6tables" path="/sys/fs/cgroup" dev="cgroup2" ino=1
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>

policy/modules/kernel/filesystem.if

@@ -770,6 +770,25 @@ interface(`fs_list_cgroup_dirs', `
 	dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##	Ioctl cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_ioctl_cgroup_dirs', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:dir ioctl;
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Delete cgroup directories.

policy/modules/system/iptables.te

@@ -75,6 +75,7 @@ dev_dontaudit_write_mtrr(iptables_t)
 fs_getattr_xattr_fs(iptables_t)
 fs_search_auto_mountpoints(iptables_t)
 fs_list_inotifyfs(iptables_t)
+fs_ioctl_cgroup_dirs(iptables_t)
 
 mls_file_read_all_levels(iptables_t)