Hello, Thanks you for the help,Stephen exactly what you had said, The avc denial should be supressed by dontaudit rules, unless you've rebuilt with those stripped from the policy. Hopefully I understand this correctly; make enableaudit was giving me allow system_chkpwd_t security_t:file read;
and allow sysadm_sudo_t shadow_t:file { read getattr }; After recompiling my policy;(without make enableaudit) make clean make policy; the allow rules worked for shadow, without commenting out anything.
regards;
--Justin P. Mattock
