You can remove the iotop_role(): its pretty useless.
Do you mean this line?
role iotop_roles types iotop_t;
no i mean this ( from the iotop.if file ):
######################################## ## <summary> ## Role allowed to access and manage processes in the iotop domain. ## </summary> ## <param name="role"> ## <summary> ## Role allowed access to iotop ## </summary> ## </param> ## <param name="domain"> ## <summary> ## User domain for the role ## </summary> ## </param> # interface(`iotop_role',` gen_require(` type iotop_t; attribute_role iotop_roles; ')
roleattribute $1 iotop_roles; iotop_domtrans($2) ps_process_pattern($2, iotop_t) allow $2 iotop_t:process { signull signal sigkill };
')
OHHHH I see. I have removed it now.
ok, earlier you showed me this, but yes f you cannot reproduce then ignore it for now:
allow iotop_t random_device_t:chr_file read;
Yep. Perhaps another one of my mistakes from my permissive / not permissive issue? Anyway, I tested that I certainly need the urandom rule by removing it to see if I get avc's : Which I do, so I have left it in the te.