>
> >
> > You can remove the iotop_role(): its pretty useless.
>
> Do you mean this line?
>
> role iotop_roles types
> iotop_t;
>
no i mean this ( from the iotop.if file ):
########################################
## <summary>
## Role allowed to access and manage processes in the iotop domain.
## </summary>
## <param name="role">
## <summary>
## Role allowed access to iotop
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`iotop_role',`
gen_require(`
type iotop_t;
attribute_role iotop_roles;
')
roleattribute $1 iotop_roles;
iotop_domtrans($2)
ps_process_pattern($2, iotop_t)
allow $2 iotop_t:process { signull signal sigkill };
')
OHHHH I see. I have removed it now.
ok, earlier you showed me this, but yes f you cannot reproduce then
ignore it for now:
allow iotop_t random_device_t:chr_file read;
Yep. Perhaps another one of my mistakes from my permissive / not
permissive issue? Anyway, I tested that I certainly need the urandom
rule by removing it to see if I get avc's : Which I do, so I have left
it in the te.
--
Sincerely,
William Brown
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xEFC416D781A8099A