From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 4 Nov 2013 22:42:10 +0100
Subject: [refpolicy] [RFC] Need for read_policy to use audit2allow?
Message-ID: <20131104214209.GA4756@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi guys

I'm testing out the new userspace release and am now seemingly in need for
the read_policy permission (security class) when I want to use audit2allow.

The audit2allow command doesn't give any errors, it just doesn't display
anything beyond a module header. In the AVC logs I have something like this:

type=AVC msg=audit(1565426456.566:822): avc: denied { read_policy } for
pid=2660 comm="audit2allow" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=security

If I allow this (here for sysadm_t) through selinux_read_policy(sysadm_t)
then audit2allow functions properly again.

With the previous userspace release I do not seem to need this, nor is
audit2allow running in any domain other than the one called by. 

Is this expected behavior (considering it is a security class, I thought I
better ask)? 

Wkr,
	Sven Vermeulen