# firewalld.
type firewalld, domain;
type firewalld_exec, exec_type, file_type;

brillo_domain(firewalld)
net_domain(firewalld)

# Allow crash_reporter access to core dump files.
allow_crash_reporter(firewalld)

allow firewalld self:capability { net_admin net_raw };
allow firewalld self:rawip_socket create_socket_perms;
allowxperm firewalld self:rawip_socket ioctl priv_sock_ioctls;

allow firewalld system_file:file rx_file_perms;

r_dir_file(firewalld, proc)
allow firewalld proc:filesystem getattr;
allow firewalld proc_net:file getattr;
allow firewalld firewalld_service:service_manager { add find };