[testsuite,07/24] policy: move unconfined_t-related dontaudit rule to where it fits better

Commit Message

Ondrej Mosnacek July 29, 2022, 12:02 p.m. UTC

Even though it is only needed for the 'minimal' domains, it will be
cleaner to apply it to all of them inside the optional block.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_global.te | 2 ++
 policy/test_policy.if | 3 +--
 2 files changed, 3 insertions(+), 2 deletions(-)

Patch

diff --git a/policy/test_global.te b/policy/test_global.te
index 83e573c..03acc19 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -21,6 +21,8 @@  optional_policy(`
 	allow testsuite_domain unconfined_t:fd use;
 	allow testsuite_domain unconfined_t:fifo_file { read write ioctl getattr };
 	allow testsuite_domain unconfined_t:process { sigchld };
+	# needed for domains outside domain_type()
+	dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh };
 ')
 
 gen_require(`
diff --git a/policy/test_policy.if b/policy/test_policy.if
index f17a384..6cef8dd 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -49,7 +49,7 @@  interface(`testsuite_domain_type',`
 
 interface(`testsuite_domain_type_minimal',`
 	gen_require(`
-		type setrans_var_run_t, unconfined_t;
+		type setrans_var_run_t;
 	')
 
 	testsuite_domain_type_common($1)
@@ -62,7 +62,6 @@  interface(`testsuite_domain_type_minimal',`
 	dontaudit $1 security_t:filesystem getattr;
 	dontaudit $1 self:file getattr;
 	dontaudit $1 setrans_var_run_t:dir search;
-	dontaudit unconfined_t $1:process { noatsecure rlimitinh siginh };
 ')
 
 # Workarounds for refpolicy: