I'm either missing something incredibly obvious, or something really,
really weird is going on.
I have a policy module that includes this rule.
allow runcp_t etc_t:file { create write setattr };
And I can see that the rule is loaded.
$ sesearch --allow -s runcp_t -t etc_t -c file -ds -dt
allow runcp_t etc_t:file { create setattr write };
Nonetheless, I am still getting this denial.
type=AVC msg=audit(1731345803.780:3765): avc: denied { create } for
pid=289668 comm="cp" name="config"
scontext=system_u:system_r:runcp_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
AFAICT, this makes no sense at all.
Any ideas?
--
========================================================================
If your user interface is intuitive in retrospect ... it isn't intuitive
========================================================================
