+lldp_cli_domtrans(lldpd_t)
The daemon runs the cli tool?
Yes.
+init_dontaudit_use_script_ptys(lldp_cli_t)
This should not be necessary, as this is allowed via init_system_domain().
Without this rule I have such denies:
type=AVC msg=audit(1560772835.304:520336): avc: denied { read write } for
pid=20384 comm="lldpcli" path="/dev/pts/2" dev="devpts" ino=5
scontext=system_u:system_r:lldp_cli_t:s0
tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1560773162.058:520386): avc: denied { read write } for
pid=20583 comm="lldpcli" path="/dev/pts/2" dev="devpts" ino=5
scontext=system_u:system_r:lldp_cli_t:s0
tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file permissive=0
It can be safely omitted.
--
Alexander Miroshnichenko
