From 8d22ebed52eeace029f6fbb375eeff7262762d2b Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Thu, 15 Sep 2022 20:33:24 -0400
Subject: [PATCH] firewalld: allow watch on firewalld files

Seeing the following spamming audit log:
node=localhost type=AVC msg=audit(1663285699.690:100198): avc:  denied { watch } for  pid=1021 comm="gmain" path="/usr/lib/firewalld/services" dev="dm-0" ino=136583 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1663285699.690:100199): avc:  denied { watch } for  pid=1021 comm="gmain" path="/etc/firewalld/helpers" dev="dm-0" ino=653079 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=dir permissive=0

node=localhost type=AVC msg=audit(1663291139.192:403): avc:  denied  { map } for  pid=1019 comm="firewalld" path=2F72756E2F2331323635202864656C6574656429 dev="tmpfs" ino=1265 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_runtime_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
---
 policy/modules/services/firewalld.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index 2dbcba145..954a348f0 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -39,6 +39,7 @@ allow firewalld_t self:unix_stream_socket { accept listen };
 allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
 allow firewalld_t self:udp_socket create_socket_perms;
 
+allow firewalld_t firewalld_etc_rw_t:dir watch;
 manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 dontaudit firewalld_t firewalld_etc_rw_t:file { relabelfrom relabelto };
@@ -54,7 +55,7 @@ files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
 allow firewalld_t firewalld_tmp_t:file mmap_exec_file_perms;
 
 manage_dirs_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
-manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
+mmap_manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
 files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })
 
 manage_dirs_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
@@ -83,6 +84,8 @@ fs_getattr_xattr_fs(firewalld_t)
 
 logging_send_syslog_msg(firewalld_t)
 
+libs_watch_lib_dirs(firewalld_t)
+
 miscfiles_read_localization(firewalld_t)
 
 seutil_exec_setfiles(firewalld_t)