[testsuite,08/24] policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy

Message ID	20220729120229.207584-9-omosnace@redhat.com (mailing list archive)
State	Superseded
Delegated to:	Ondrej Mosnáček
Headers	show Return-Path: <selinux-owner@kernel.org> From: Ondrej Mosnacek <omosnace@redhat.com> To: selinux@vger.kernel.org Subject: [PATCH testsuite 08/24] policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy Date: Fri, 29 Jul 2022 14:02:13 +0200 Message-Id: <20220729120229.207584-9-omosnace@redhat.com> In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Clean up testsuite policy and support running as sysadm_t \| expand [testsuite,00/24] Clean up testsuite policy and support running as sysadm_t [testsuite,01/24] keys: change test_newcon_key_t to be just an object context [testsuite,02/24] test_global.te: remove unused role require [testsuite,03/24] test_global.te: don't add domains to system_r [testsuite,06/24] test_policy.if: remove weird rule from testsuite_domain_type_minimal() [testsuite,07/24] policy: move unconfined_t-related dontaudit rule to where it fits better [testsuite,08/24] policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy [testsuite,09/24] policy: move miscfiles_domain_entry_test_files() to general policy [testsuite,10/24] policy: substitute userdom_sysadm_entry_spec_domtrans_to() [testsuite,11/24] test_general.te: move sysadm-related rules into an optional block [testsuite,12/24] test_filesystem.te: remove redundant dontaudit rules [testsuite,13/24] test_filesystem.te: remove suspicious rules [testsuite,14/24] tests/nnp_nosuid: avoid hardcoding unconfined_t in the policy [testsuite,15/24] tests/*filesystem: remove weird uses of unconfined_t [testsuite,16/24] policy: remove last hardcoded references to unconfined_t [testsuite,17/24] test_general.te: generalize the dontaudit rule [testsuite,18/24] policy: don't audit testsuite programs searching the caller's keys [testsuite,19/24] ci: check for unconfined_t AVCs [testsuite,20/24] tests/binder: check only the type part of the context [testsuite,21/24] tests/overlay: don't hard-code SELinux user of the caller [testsuite,22/24] policy: give sysadm_t perms needed to run quotacheck(8) [testsuite,23/24] tests/vsock_socket: use modprobe to check vsock availability [testsuite,24/24] ci: add sysadm_t to the test matrix

diff --git a/policy/test_atsecure.te b/policy/test_atsecure.te index f7ab29a..90e58f1 100644 --- a/policy/test_atsecure.te +++ b/policy/test_atsecure.te @@ -35,6 +35,3 @@ allow_map(atsecuredomain, test_file_t, file) # Only allow the allowed domain noatsecure permission to the # new domain. allow test_atsecure_allowed_t test_atsecure_newdomain_t:process noatsecure; - -# Allow all of these domains to be entered from the sysadm domain. -userdom_sysadm_entry_spec_domtrans_to(atsecuredomain) diff --git a/policy/test_binder.te b/policy/test_binder.te index e74a2fc..096c467 100644 --- a/policy/test_binder.te +++ b/policy/test_binder.te @@ -99,4 +99,3 @@ allow_map(test_binder_client_no_transfer_t, device_t, chr_file) ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(binderdomain) -userdom_sysadm_entry_spec_domtrans_to(binderdomain) diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te index 8c04d19..2d91af2 100644 --- a/policy/test_binder_bpf.te +++ b/policy/test_binder_bpf.te @@ -62,4 +62,3 @@ allow_map(test_binder_client_no_bpf_perm_t, device_t, chr_file) ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(binderbpfdomain) -userdom_sysadm_entry_spec_domtrans_to(binderbpfdomain) diff --git a/policy/test_bpf.te b/policy/test_bpf.te index 58daebd..fb21c29 100644 --- a/policy/test_bpf.te +++ b/policy/test_bpf.te @@ -62,4 +62,3 @@ allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_loa ############ Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(bpfdomain) -userdom_sysadm_entry_spec_domtrans_to(bpfdomain) diff --git a/policy/test_capable_file.te b/policy/test_capable_file.te index 73ad856..9ce9487 100644 --- a/policy/test_capable_file.te +++ b/policy/test_capable_file.te @@ -40,7 +40,6 @@ libs_exec_lib_files(capabledomain) # Allow test_file_t and bin_t to be entered from sysadm role miscfiles_domain_entry_test_files(capabledomain) -userdom_sysadm_entry_spec_domtrans_to(capabledomain) corecmd_bin_entry_type(capabledomain) sysadm_bin_spec_domtrans_to(capabledomain) diff --git a/policy/test_dyntrace.te b/policy/test_dyntrace.te index 28836b8..0a598a4 100644 --- a/policy/test_dyntrace.te +++ b/policy/test_dyntrace.te @@ -26,7 +26,6 @@ typeattribute test_dyntrace_notchild_t dyntracedomain; # Allow test_files_t to be entered from the sysadm domain. miscfiles_domain_entry_test_files(dyntracedomain) -userdom_sysadm_entry_spec_domtrans_to(dyntracedomain) miscfiles_exec_test_files(dyntracedomain) # Grant the necessary permissions for the child domain. diff --git a/policy/test_dyntrans.te b/policy/test_dyntrans.te index c749340..e4110c5 100644 --- a/policy/test_dyntrans.te +++ b/policy/test_dyntrans.te @@ -26,5 +26,4 @@ allow test_dyntrans_fromdomain_t test_dyntrans_todomain_t:process dyntransition; # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(dyntransdomain) -userdom_sysadm_entry_spec_domtrans_to(dyntransdomain) diff --git a/policy/test_entrypoint.te b/policy/test_entrypoint.te index 28f4705..1fcbf0c 100644 --- a/policy/test_entrypoint.te +++ b/policy/test_entrypoint.te @@ -16,5 +16,4 @@ corecmd_exec_bin(test_entrypoint_t) # Allow this domain to be entered via its entrypoint type. domain_entry_file(test_entrypoint_t, test_entrypoint_execute_t) -userdom_sysadm_entry_spec_domtrans_to(test_entrypoint_t) diff --git a/policy/test_execshare.te b/policy/test_execshare.te index 6d8b12e..22ed09f 100644 --- a/policy/test_execshare.te +++ b/policy/test_execshare.te @@ -22,7 +22,6 @@ typeattribute test_execshare_notchild_t execsharedomain; # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(execsharedomain) -userdom_sysadm_entry_spec_domtrans_to(execsharedomain) # Grant the necessary permissions for the child domain. domain_entry_file_spec_domtrans(test_execshare_parent_t, test_execshare_child_t) diff --git a/policy/test_exectrace.te b/policy/test_exectrace.te index a4a8b96..302ba80 100644 --- a/policy/test_exectrace.te +++ b/policy/test_exectrace.te @@ -25,7 +25,6 @@ typeattribute test_exectrace_notchild_t exectracedomain; # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(exectracedomain) -userdom_sysadm_entry_spec_domtrans_to(exectracedomain) # Grant the necessary permissions for the child domain. domain_entry_file_spec_domtrans(test_exectrace_parent_t, test_exectrace_child_t) diff --git a/policy/test_execute_no_trans.te b/policy/test_execute_no_trans.te index d0a46bc..e310353 100644 --- a/policy/test_execute_no_trans.te +++ b/policy/test_execute_no_trans.te @@ -18,7 +18,6 @@ testsuite_domain_type(test_execute_notrans_t); # Allow this domain to be entered via the shell. corecmd_shell_entry_type(test_execute_notrans_t) -userdom_sysadm_entry_spec_domtrans_to(test_execute_notrans_t) #Allow test_execute_notrans permissions to the allowed type can_exec(test_execute_notrans_t,test_execute_notrans_allowed_t) diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te index 75636ec..681a71d 100644 --- a/policy/test_extended_socket_class.te +++ b/policy/test_extended_socket_class.te @@ -57,4 +57,3 @@ kernel_request_load_module(extsocktestdomain) # Entry into the test domains via the test program. miscfiles_domain_entry_test_files(extsocktestdomain) -userdom_sysadm_entry_spec_domtrans_to(extsocktestdomain) diff --git a/policy/test_fdreceive.te b/policy/test_fdreceive.te index e060ffd..9987503 100644 --- a/policy/test_fdreceive.te +++ b/policy/test_fdreceive.te @@ -32,7 +32,6 @@ typeattribute test_fdreceive_server_t fdreceivedomain; # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(fdreceivedomain) -userdom_sysadm_entry_spec_domtrans_to(fdreceivedomain) # Grant the necessary permissions for the server domain. ## Create the Unix domain socket file. diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te index 5a23931..264a703 100644 --- a/policy/test_fdreceive_bpf.te +++ b/policy/test_fdreceive_bpf.te @@ -51,4 +51,3 @@ allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write }; # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(fdreceivebpfdomain) -userdom_sysadm_entry_spec_domtrans_to(fdreceivebpfdomain) diff --git a/policy/test_file.te b/policy/test_file.te index e20ae3e..9acc211 100644 --- a/policy/test_file.te +++ b/policy/test_file.te @@ -55,7 +55,6 @@ libs_exec_lib_files(fileopdomain) # Allow all of these domains to be entered from sysadm domain miscfiles_domain_entry_test_files(fileopdomain) -userdom_sysadm_entry_spec_domtrans_to(fileopdomain) corecmd_bin_entry_type(fileopdomain) sysadm_bin_spec_domtrans_to(fileopdomain) diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te index 71075fb..fd06d5d 100644 --- a/policy/test_filesystem.te +++ b/policy/test_filesystem.te @@ -413,4 +413,3 @@ allow test_move_mount_no_mounton_t dosfs_t:filesystem { associate }; ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(filesystemdomain) -userdom_sysadm_entry_spec_domtrans_to(filesystemdomain) diff --git a/policy/test_global.te b/policy/test_global.te index 03acc19..5ef3b02 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -40,6 +40,9 @@ term_use_all_terms(testsuite_domain) allow testsuite_domain init_t:fd use; allow testsuite_domain initrc_t:fd use; +# Allow the test domain to be entered from sysadm_t +userdom_sysadm_entry_spec_domtrans_to(testsuite_domain) + # Allow the test domains to access the test directory and files # even if they are not root owned. allow testsuite_domain self:capability { dac_override dac_read_search }; diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te index 674293f..a403be0 100644 --- a/policy/test_ibendport.te +++ b/policy/test_ibendport.te @@ -32,4 +32,3 @@ allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_ # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(ibendportdomain) -userdom_sysadm_entry_spec_domtrans_to(ibendportdomain) diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te index e65895f..de0f5e1 100644 --- a/policy/test_ibpkey.te +++ b/policy/test_ibpkey.te @@ -25,4 +25,3 @@ corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t) # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(ibpkeydomain) -userdom_sysadm_entry_spec_domtrans_to(ibpkeydomain) diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te index da507d1..dd0e83c 100644 --- a/policy/test_inet_socket.te +++ b/policy/test_inet_socket.te @@ -161,4 +161,3 @@ kernel_recvfrom_unlabeled_peer(inetsocketdomain) # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(inetsocketdomain) -userdom_sysadm_entry_spec_domtrans_to(inetsocketdomain) diff --git a/policy/test_inherit.te b/policy/test_inherit.te index 31d719e..15ab8fc 100644 --- a/policy/test_inherit.te +++ b/policy/test_inherit.te @@ -33,7 +33,6 @@ typeattribute test_inherit_nowrite_t inheritdomain; # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(inheritdomain) -userdom_sysadm_entry_spec_domtrans_to(inheritdomain) # Grant the necessary permissions for the parent domain. allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms; diff --git a/policy/test_ioctl.te b/policy/test_ioctl.te index 24cff32..955695d 100644 --- a/policy/test_ioctl.te +++ b/policy/test_ioctl.te @@ -31,7 +31,6 @@ libs_exec_lib_files(ioctldomain) # Allow all of these domains to be entered from sysadm domain # via a shell script in the test directory or by.... miscfiles_domain_entry_test_files(ioctldomain) -userdom_sysadm_entry_spec_domtrans_to(ioctldomain) corecmd_bin_entry_type(ioctldomain) sysadm_bin_spec_domtrans_to(ioctldomain) diff --git a/policy/test_ipc.te b/policy/test_ipc.te index 07f8b4a..f68d35c 100644 --- a/policy/test_ipc.te +++ b/policy/test_ipc.te @@ -68,7 +68,6 @@ fs_rw_tmpfs_files(ipcdomain) # Allow all of these domains to be entered from user domains. # via a shell script in the test directory or by another program. miscfiles_domain_entry_test_files(ipcdomain) -userdom_sysadm_entry_spec_domtrans_to(ipcdomain) corecmd_bin_entry_type(ipcdomain) sysadm_bin_spec_domtrans_to(ipcdomain) diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te index fad5dfd..2763472 100644 --- a/policy/test_key_socket.te +++ b/policy/test_key_socket.te @@ -52,7 +52,6 @@ allow test_key_sock_no_read_t self:key_socket { create write setopt }; ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(keysockdomain) -userdom_sysadm_entry_spec_domtrans_to(keysockdomain) # For CONFIG_NET_KEY=m kernel_request_load_module(keysockdomain) diff --git a/policy/test_keys.te b/policy/test_keys.te index 142a70c..de1b46c 100644 --- a/policy/test_keys.te +++ b/policy/test_keys.te @@ -169,4 +169,3 @@ allow test_request_keys_no_link_t test_keyring_service_t:key { read write search ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(keydomain) -userdom_sysadm_entry_spec_domtrans_to(keydomain) diff --git a/policy/test_mac_admin.te b/policy/test_mac_admin.te index e816b03..d63dc80 100644 --- a/policy/test_mac_admin.te +++ b/policy/test_mac_admin.te @@ -47,4 +47,3 @@ allow mac_admintestdomain unlabeled_t:dir { getattr create }; # Entry into the test domains via the test program. corecmd_bin_entry_type(mac_admintestdomain) -userdom_sysadm_entry_spec_domtrans_to(mac_admintestdomain) diff --git a/policy/test_module_load.te b/policy/test_module_load.te index bbb805a..770b2dd 100644 --- a/policy/test_module_load.te +++ b/policy/test_module_load.te @@ -46,4 +46,3 @@ neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request } ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(kmoduledomain) -userdom_sysadm_entry_spec_domtrans_to(kmoduledomain) diff --git a/policy/test_mqueue.te b/policy/test_mqueue.te index b9e84e7..ea3fa68 100644 --- a/policy/test_mqueue.te +++ b/policy/test_mqueue.te @@ -57,7 +57,6 @@ files_type(mqop_mqrw_t) # basic permision for all mqopdomains miscfiles_domain_entry_test_files(mqopdomain) -userdom_sysadm_entry_spec_domtrans_to(mqopdomain) corecmd_bin_entry_type(mqopdomain) sysadm_bin_spec_domtrans_to(mqopdomain) diff --git a/policy/test_netlink_socket.te b/policy/test_netlink_socket.te index 0d6fc5e..589e372 100644 --- a/policy/test_netlink_socket.te +++ b/policy/test_netlink_socket.te @@ -43,7 +43,6 @@ netlink_socket_test(netlink_crypto_socket) # Entry into the test domains via the test program. miscfiles_domain_entry_test_files(netlinksocktestdomain) -userdom_sysadm_entry_spec_domtrans_to(netlinksocktestdomain) # Trigger kernel module auto-loading of the protocol implementations. kernel_request_load_module(netlinksocktestdomain) diff --git a/policy/test_notify.te b/policy/test_notify.te index 86979a5..4ffd287 100644 --- a/policy/test_notify.te +++ b/policy/test_notify.te @@ -75,4 +75,3 @@ typeattribute test_rdonly_t test_notify_domain; allow test_rdonly_t test_notify_file_t:dir { read open watch }; miscfiles_domain_entry_test_files(test_notify_domain) -userdom_sysadm_entry_spec_domtrans_to(test_notify_domain) diff --git a/policy/test_open.te b/policy/test_open.te index acb31d8..0d662f0 100644 --- a/policy/test_open.te +++ b/policy/test_open.te @@ -31,4 +31,3 @@ allow test_append_t test_open_file_t:file append_file_perms; # Allow all of these domains to be entered from sysadm domain miscfiles_domain_entry_test_files(test_open_domain) -userdom_sysadm_entry_spec_domtrans_to(test_open_domain) diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te index 6d3828a..8a914ff 100644 --- a/policy/test_perf_event.te +++ b/policy/test_perf_event.te @@ -75,4 +75,3 @@ allow_lockdown_confidentiality(test_perf_no_write_t) ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(perfdomain) -userdom_sysadm_entry_spec_domtrans_to(perfdomain) diff --git a/policy/test_prlimit.te b/policy/test_prlimit.te index 3f32136..4b6a5c8 100644 --- a/policy/test_prlimit.te +++ b/policy/test_prlimit.te @@ -43,4 +43,3 @@ prlimit_test(getrlimit) # Entry into the test domains via the test program. miscfiles_domain_entry_test_files(prlimittestdomain) -userdom_sysadm_entry_spec_domtrans_to(prlimittestdomain) diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te index 34aa636..f327cc5 100644 --- a/policy/test_ptrace.te +++ b/policy/test_ptrace.te @@ -36,7 +36,6 @@ allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld; # Allow all of these domains to be entered from the sysadm domains. # via a program in the test directory. miscfiles_domain_entry_test_files(ptracedomain) -userdom_sysadm_entry_spec_domtrans_to(ptracedomain) # Allow execution of helper programs. corecmd_exec_bin(ptracedomain) diff --git a/policy/test_sctp.te b/policy/test_sctp.te index 4c18c72..7b24b8c 100644 --- a/policy/test_sctp.te +++ b/policy/test_sctp.te @@ -234,4 +234,3 @@ allow sctpsocketdomain self:unix_dgram_socket { create ioctl }; ############ Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(sctpsocketdomain) -userdom_sysadm_entry_spec_domtrans_to(sctpsocketdomain) diff --git a/policy/test_sigkill.te b/policy/test_sigkill.te index a0dce3b..04bed89 100644 --- a/policy/test_sigkill.te +++ b/policy/test_sigkill.te @@ -41,7 +41,6 @@ allow test_kill_signal_t test_kill_server_t:process signal; # Allow all of these domains to be entered from the sysadm domains, # via kill or a program in the test directory. miscfiles_domain_entry_test_files(killdomain) -userdom_sysadm_entry_spec_domtrans_to(killdomain) corecmd_bin_entry_type(killdomain) sysadm_bin_spec_domtrans_to(killdomain) diff --git a/policy/test_task_create.te b/policy/test_task_create.te index eb51cd2..54acb50 100644 --- a/policy/test_task_create.te +++ b/policy/test_task_create.te @@ -25,4 +25,3 @@ typeattribute test_create_no_t test_create_d; # Allow domain to be entered from the sysadm domain. miscfiles_domain_entry_test_files(test_create_d) -userdom_sysadm_entry_spec_domtrans_to(test_create_d) diff --git a/policy/test_task_getpgid.te b/policy/test_task_getpgid.te index 1f81f56..dad584e 100644 --- a/policy/test_task_getpgid.te +++ b/policy/test_task_getpgid.te @@ -26,7 +26,6 @@ typeattribute test_getpgid_no_t test_getpgid_d; # Allow domain to be entered from the sysadm domain miscfiles_domain_entry_test_files(test_getpgid_d) -userdom_sysadm_entry_spec_domtrans_to(test_getpgid_d) # Give test_getpgid_yes_t the permission needed. allow test_getpgid_yes_t test_getpgid_target_t:process getpgid; diff --git a/policy/test_task_getsched.te b/policy/test_task_getsched.te index c67019b..f541d58 100644 --- a/policy/test_task_getsched.te +++ b/policy/test_task_getsched.te @@ -26,7 +26,6 @@ typeattribute test_getsched_no_t test_getsched_d; # Allow domain to be entered from the sysadm domain. miscfiles_domain_entry_test_files(test_getsched_d) -userdom_sysadm_entry_spec_domtrans_to(test_getsched_d) # Give test_getsched_yes_t the permission needed. allow test_getsched_yes_t test_getsched_target_t:process getsched; diff --git a/policy/test_task_getsid.te b/policy/test_task_getsid.te index e5a62f8..8c21d9a 100644 --- a/policy/test_task_getsid.te +++ b/policy/test_task_getsid.te @@ -26,7 +26,6 @@ typeattribute test_getsid_no_t test_getsid_d; # Allow domain to be entered from the sysadm domain. miscfiles_domain_entry_test_files(test_getsid_d) -userdom_sysadm_entry_spec_domtrans_to(test_getsid_d) # Give test_getsid_yes_t the permission needed. allow test_getsid_yes_t test_getsid_target_t:process getsession; diff --git a/policy/test_task_setpgid.te b/policy/test_task_setpgid.te index 8e98859..25e06d4 100644 --- a/policy/test_task_setpgid.te +++ b/policy/test_task_setpgid.te @@ -18,4 +18,3 @@ typeattribute test_setpgid_no_t test_setpgid_d; # Allow domain to be entered from the sysadm domain. miscfiles_domain_entry_test_files(test_setpgid_d) -userdom_sysadm_entry_spec_domtrans_to(test_setpgid_d) diff --git a/policy/test_task_setsched.te b/policy/test_task_setsched.te index c30157e..432135e 100644 --- a/policy/test_task_setsched.te +++ b/policy/test_task_setsched.te @@ -28,7 +28,6 @@ typeattribute test_setsched_no_t test_setsched_d; # Allow domain to be entered from the sysadm domain. miscfiles_domain_entry_test_files(test_setsched_d) -userdom_sysadm_entry_spec_domtrans_to(test_setsched_d) # Allow these domains to execute renice. corecmd_bin_entry_type(test_setsched_d) diff --git a/policy/test_transition.te b/policy/test_transition.te index 8f1f4bf..4adc423 100644 --- a/policy/test_transition.te +++ b/policy/test_transition.te @@ -25,6 +25,3 @@ corecmd_bin_entry_type(transitiondomain) domain_transition_pattern(test_transition_fromdomain_t,bin_t,test_transition_todomain_t) allow test_transition_fromdomain_t test_transition_todomain_t:fd use; allow test_transition_todomain_t test_transition_fromdomain_t:fd use; - -# Allow all of these domains to be entered from the sysadm domain. -userdom_sysadm_entry_spec_domtrans_to(transitiondomain) diff --git a/policy/test_tun_tap.te b/policy/test_tun_tap.te index be317a2..e1aef8d 100644 --- a/policy/test_tun_tap.te +++ b/policy/test_tun_tap.te @@ -96,4 +96,3 @@ allow test_newcon_no_from_tun_tap_t test_tun_tap_t:process { dyntransition }; ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(tuntapdomain) -userdom_sysadm_entry_spec_domtrans_to(tuntapdomain) diff --git a/policy/test_unix_socket.te b/policy/test_unix_socket.te index 924475e..69720f0 100644 --- a/policy/test_unix_socket.te +++ b/policy/test_unix_socket.te @@ -61,4 +61,3 @@ typeattribute test_socketpair_t unixsocketdomain; # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(unixsocketdomain) -userdom_sysadm_entry_spec_domtrans_to(unixsocketdomain) diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te index 0ca733b..5cb7d1c 100644 --- a/policy/test_userfaultfd.te +++ b/policy/test_userfaultfd.te @@ -48,4 +48,3 @@ allow test_uffd_domain self:capability { sys_ptrace }; # Allow all of these domains to be executed miscfiles_domain_entry_test_files(test_uffd_domain) -userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain) diff --git a/policy/test_vsock_socket.te b/policy/test_vsock_socket.te index abbcc0b..4bb989a 100644 --- a/policy/test_vsock_socket.te +++ b/policy/test_vsock_socket.te @@ -45,4 +45,3 @@ vsock_client(nosetopt, connect create getattr getopt read shutdown write) # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(vsocksocketdomain) -userdom_sysadm_entry_spec_domtrans_to(vsocksocketdomain) diff --git a/policy/test_watchkey.te b/policy/test_watchkey.te index 9fa5a70..101d68a 100644 --- a/policy/test_watchkey.te +++ b/policy/test_watchkey.te @@ -20,4 +20,3 @@ typeattribute test_watchkey_no_view_t watchkeydomain; ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(watchkeydomain) -userdom_sysadm_entry_spec_domtrans_to(watchkeydomain)

[testsuite,08/24] policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy

Commit Message

Comments

Patch