Might have been some merge issue with upstream policy.
I think Fedora and refpolicy implement configfile each in a different
way, this may (or may not) cause confusion when Fedora merges upstream
refpolicy in its branch.
I am annoyed because I do not want to be dealing with issues which were
'resolved' nearly a year ago just to resurface again when I try to upgrade.
Anyway, I backed out of this upgrade because as it turns out there are
also quite a few issues with compiling the kernel as well, so I may as
well just wait until FC15 comes around - I do not normally follow even
number Fedora upgrades, but do not know what possessed me over the xmas
period to go for this upgrade...
In my view allowing iptables to read all config files is
sub-optimal.
I would probably just allow:
shorewall_read_config(iptables)
I did that as a temporary measure (added optional_policy statement with
shorewall_read_config) to see if it is going to cure the problem - it
did, though, as you put it above, it is not ideal.