The error file

The secpolgenerate utility provides the file /dev/secpolgenerate/errors to help you debug broken systems.

If you run a system with a security policy and rules are missing from it, some parts might not work. To help you troubleshoot, secpolgenerate captures errors in the file /dev/secpolgenerate/errors. For example, if you try to run io-audio with the type random_t, a type that accounts for the needs of the random process, /dev/secpolgenerate/errors contains the following entry:

allow random_t self:ability {
    io
};

This error indicates that the process running as type random_t is missing the io ability.

The secpolgenerate utility also detects if a process uses an unregistered sigevent. (See sigevent and MsgRegisterEvent() in the C Library Reference.) The use of unregistered events is a potential security problem. The secpolgenerate utility reports up to 10 unregistered events per process.

What you do with the error information is up to you. If whatever failed is something that should have worked, you can update your policy to allow it (for example, give random_t the io ability). Or, as in this case, the failure indicates something else is wrong: io-audio is running with the wrong type. In other cases, you can simply ignore the error.

If the system is more fundamentally broken and you cannot even access /dev/secpolgenerate/errors, you can also run secpolgenerate with the option -v. This option configures secpolgenerate to output errors to stderr, which allows you to see the errors even if the system does not boot sufficiently to access them by other means.