When trying to build a SELinux module using "audit2allow -m test -R" (-R to use refpolicy style interfaces) the module does not use the interface, instead relying back on the 'regular' allow statement. The /var/lib/sepolgen/interface_info is up2date (sepolgen-ifgen was ran and the information for the call I need (kernel_rw_kernel_sysctl) seems to be provided in it. Also, strace'ing the audit2allow process does show that it is reading this file. Reproducible: Always
Seems to be working for more recent policycoreutils (testing with 2.2.5 here): # cat /tmp/test.txt | audit2allow -m test -R; cat /tmp/test.txt policy_module(test, 1.0) require { type gpg_pinentry_t; } #============= gpg_pinentry_t ============== fs_getattr_xattr_fs(gpg_pinentry_t) type=AVC msg=audit(1388327755.063:952): avc: denied { getattr } for pid=989 comm="pinentry" name="/" dev="dm-3" ino=2 scontext=staff_u:staff_r:gpg_pinentry_t tcontext=system_u:object_r:fs_t tclass=filesystem
Stable in tree