From: Ondrej Mosnacek <omosnace@redhat.com>
To: selinux@vger.kernel.org
Subject: [PATCH testsuite 09/24] policy: move miscfiles_domain_entry_test_files() to general policy
Date: Fri, 29 Jul 2022 14:02:14 +0200 [thread overview]
Message-ID: <20220729120229.207584-10-omosnace@redhat.com> (raw)
In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com>
This is good to have for pretty much all domains, so remove the
individual calls and move it to test_general.te.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/test_binder.te | 5 -----
policy/test_binder_bpf.te | 5 -----
policy/test_bounds.te | 1 -
policy/test_bpf.te | 5 -----
policy/test_cap_userns.te | 1 -
policy/test_capable_file.te | 1 -
policy/test_dyntrace.te | 1 -
policy/test_dyntrans.te | 4 ----
policy/test_execshare.te | 3 ---
policy/test_exectrace.te | 3 ---
policy/test_extended_socket_class.te | 3 ---
policy/test_fdreceive.te | 3 ---
policy/test_fdreceive_bpf.te | 3 ---
policy/test_file.te | 3 ---
policy/test_filesystem.te | 5 -----
policy/test_global.te | 4 +++-
policy/test_ibendport.te | 3 ---
policy/test_ibpkey.te | 3 ---
policy/test_inet_socket.te | 3 ---
policy/test_inherit.te | 3 ---
policy/test_ioctl.te | 1 -
policy/test_ipc.te | 1 -
policy/test_key_socket.te | 5 -----
policy/test_keys.te | 5 -----
policy/test_mmap.te | 3 ---
policy/test_module_load.te | 5 -----
policy/test_mqueue.te | 3 ---
policy/test_netlink_socket.te | 3 ---
policy/test_notify.te | 2 --
policy/test_open.te | 3 ---
policy/test_perf_event.te | 5 -----
policy/test_prlimit.te | 7 -------
policy/test_ptrace.te | 4 ----
policy/test_sctp.te | 5 -----
policy/test_setnice.te | 1 -
policy/test_sigkill.te | 1 -
policy/test_task_create.te | 5 -----
policy/test_task_getpgid.te | 3 ---
policy/test_task_getsched.te | 3 ---
policy/test_task_getsid.te | 3 ---
policy/test_task_setpgid.te | 3 ---
policy/test_task_setsched.te | 3 ---
policy/test_tun_tap.te | 5 -----
policy/test_unix_socket.te | 3 ---
policy/test_userfaultfd.te | 3 ---
policy/test_vsock_socket.te | 3 ---
policy/test_watchkey.te | 5 -----
47 files changed, 3 insertions(+), 152 deletions(-)
diff --git a/policy/test_binder.te b/policy/test_binder.te
index 096c467..4c7974a 100644
--- a/policy/test_binder.te
+++ b/policy/test_binder.te
@@ -94,8 +94,3 @@ allow test_binder_client_no_transfer_t test_binder_mgr_t:binder { call };
allow test_binder_client_no_transfer_t test_binder_provider_t:binder { call impersonate };
allow test_binder_client_no_transfer_t device_t:chr_file { getattr ioctl open read write };
allow_map(test_binder_client_no_transfer_t, device_t, chr_file)
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(binderdomain)
diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te
index 2d91af2..fa79320 100644
--- a/policy/test_binder_bpf.te
+++ b/policy/test_binder_bpf.te
@@ -57,8 +57,3 @@ allow test_binder_client_no_bpf_perm_t test_binder_bpf_mgr_t:binder { call };
allow test_binder_client_no_bpf_perm_t test_binder_bpf_provider_t:fd { use };
allow test_binder_client_no_bpf_perm_t device_t:chr_file { getattr ioctl open read write };
allow_map(test_binder_client_no_bpf_perm_t, device_t, chr_file)
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(binderbpfdomain)
diff --git a/policy/test_bounds.te b/policy/test_bounds.te
index 60fbd0b..d132d8a 100644
--- a/policy/test_bounds.te
+++ b/policy/test_bounds.te
@@ -63,5 +63,4 @@ allow test_bounds_child_domain test_bounds_file_green_t : file { getattr setattr
allow test_bounds_child_domain test_bounds_file_blue_t : file { getattr setattr };
# Allow all of these domains to be entered from sysadm domain
-miscfiles_domain_entry_test_files(test_bounds_domain)
sysadm_entry_spec_domtrans(test_bounds_domain)
diff --git a/policy/test_bpf.te b/policy/test_bpf.te
index fb21c29..5eab0bd 100644
--- a/policy/test_bpf.te
+++ b/policy/test_bpf.te
@@ -57,8 +57,3 @@ typeattribute test_bpf_deny_prog_run_t bpfdomain;
allow test_bpf_deny_prog_run_t self:process { setrlimit };
allow test_bpf_deny_prog_run_t self:capability { sys_resource sys_admin };
allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load };
-
-#
-############ Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(bpfdomain)
diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
index fa90528..cfa510c 100644
--- a/policy/test_cap_userns.te
+++ b/policy/test_cap_userns.te
@@ -19,7 +19,6 @@ testsuite_domain_type(test_no_cap_userns_t)
typeattribute test_no_cap_userns_t capusernsdomain;
# Rules common to both domains.
-miscfiles_domain_entry_test_files(capusernsdomain)
corecmd_exec_bin(capusernsdomain)
# linux >= v5.12 needs setfcap to map UID 0
diff --git a/policy/test_capable_file.te b/policy/test_capable_file.te
index 9ce9487..2383f6e 100644
--- a/policy/test_capable_file.te
+++ b/policy/test_capable_file.te
@@ -39,7 +39,6 @@ libs_exec_ld_so(capabledomain)
libs_exec_lib_files(capabledomain)
# Allow test_file_t and bin_t to be entered from sysadm role
-miscfiles_domain_entry_test_files(capabledomain)
corecmd_bin_entry_type(capabledomain)
sysadm_bin_spec_domtrans_to(capabledomain)
diff --git a/policy/test_dyntrace.te b/policy/test_dyntrace.te
index 0a598a4..09f983a 100644
--- a/policy/test_dyntrace.te
+++ b/policy/test_dyntrace.te
@@ -25,7 +25,6 @@ testsuite_domain_type(test_dyntrace_notchild_t)
typeattribute test_dyntrace_notchild_t dyntracedomain;
# Allow test_files_t to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(dyntracedomain)
miscfiles_exec_test_files(dyntracedomain)
# Grant the necessary permissions for the child domain.
diff --git a/policy/test_dyntrans.te b/policy/test_dyntrans.te
index e4110c5..73fe77d 100644
--- a/policy/test_dyntrans.te
+++ b/policy/test_dyntrans.te
@@ -23,7 +23,3 @@ typeattribute test_dyntrans_todomain_t dyntransdomain;
# Allow the fromdomain to dyntrans to the new domain.
allow test_dyntrans_fromdomain_t test_dyntrans_todomain_t:process dyntransition;
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(dyntransdomain)
-
diff --git a/policy/test_execshare.te b/policy/test_execshare.te
index 22ed09f..c127662 100644
--- a/policy/test_execshare.te
+++ b/policy/test_execshare.te
@@ -20,9 +20,6 @@ type test_execshare_notchild_t;
testsuite_domain_type(test_execshare_notchild_t);
typeattribute test_execshare_notchild_t execsharedomain;
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(execsharedomain)
-
# Grant the necessary permissions for the child domain.
domain_entry_file_spec_domtrans(test_execshare_parent_t, test_execshare_child_t)
allow test_execshare_parent_t test_execshare_child_t:fd use;
diff --git a/policy/test_exectrace.te b/policy/test_exectrace.te
index 302ba80..d5b74ad 100644
--- a/policy/test_exectrace.te
+++ b/policy/test_exectrace.te
@@ -23,9 +23,6 @@ type test_exectrace_notchild_t;
testsuite_domain_type(test_exectrace_notchild_t)
typeattribute test_exectrace_notchild_t exectracedomain;
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(exectracedomain)
-
# Grant the necessary permissions for the child domain.
domain_entry_file_spec_domtrans(test_exectrace_parent_t, test_exectrace_child_t)
allow test_exectrace_parent_t test_exectrace_child_t:fd use;
diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te
index 681a71d..c8840b4 100644
--- a/policy/test_extended_socket_class.te
+++ b/policy/test_extended_socket_class.te
@@ -54,6 +54,3 @@ extended_socket_class_test(alg_socket, socket)
# Trigger kernel module auto-loading of the network protocol implementations.
kernel_request_load_module(extsocktestdomain)
-
-# Entry into the test domains via the test program.
-miscfiles_domain_entry_test_files(extsocktestdomain)
diff --git a/policy/test_fdreceive.te b/policy/test_fdreceive.te
index 9987503..df9e974 100644
--- a/policy/test_fdreceive.te
+++ b/policy/test_fdreceive.te
@@ -30,9 +30,6 @@ type test_fdreceive_server_t;
testsuite_domain_type(test_fdreceive_server_t);
typeattribute test_fdreceive_server_t fdreceivedomain;
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(fdreceivedomain)
-
# Grant the necessary permissions for the server domain.
## Create the Unix domain socket file.
allow test_fdreceive_server_t test_file_t:dir rw_dir_perms;
diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te
index 264a703..fd633ae 100644
--- a/policy/test_fdreceive_bpf.te
+++ b/policy/test_fdreceive_bpf.te
@@ -48,6 +48,3 @@ allow test_fdreceive_bpf_client3_t self:process { setrlimit };
# Server side rules:
allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use };
allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write };
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(fdreceivebpfdomain)
diff --git a/policy/test_file.te b/policy/test_file.te
index 9acc211..5bb0398 100644
--- a/policy/test_file.te
+++ b/policy/test_file.te
@@ -53,9 +53,6 @@ libs_use_shared_libs(fileopdomain)
libs_exec_ld_so(fileopdomain)
libs_exec_lib_files(fileopdomain)
-# Allow all of these domains to be entered from sysadm domain
-miscfiles_domain_entry_test_files(fileopdomain)
-
corecmd_bin_entry_type(fileopdomain)
sysadm_bin_spec_domtrans_to(fileopdomain)
diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
index fd06d5d..5de489c 100644
--- a/policy/test_filesystem.te
+++ b/policy/test_filesystem.te
@@ -408,8 +408,3 @@ allow test_filesystem_no_mount_t dosfs_t:filesystem { associate };
allow test_filesystem_no_remount_t dosfs_t:filesystem { associate };
allow test_filesystem_no_unmount_t dosfs_t:filesystem { associate };
allow test_move_mount_no_mounton_t dosfs_t:filesystem { associate };
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(filesystemdomain)
diff --git a/policy/test_global.te b/policy/test_global.te
index 5ef3b02..667c272 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -51,8 +51,10 @@ allow testsuite_domain self:capability { dac_override dac_read_search };
#allow sysadm_t self:process setexec;
#selinux_get_fs_mount(sysadm_t)
-# Let all test domains read test directories and files.
+# Let all test domains read test directories and files and to use test
+# files as entry points.
miscfiles_read_test_files(testsuite_domain)
+miscfiles_domain_entry_test_files(testsuite_domain)
# Let the test domains set their current, exec and fscreate contexts.
allow testsuite_domain self:process setcurrent;
diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
index a403be0..ccfea28 100644
--- a/policy/test_ibendport.te
+++ b/policy/test_ibendport.te
@@ -29,6 +29,3 @@ corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
')
allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_subnet;
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(ibendportdomain)
diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te
index de0f5e1..863ff16 100644
--- a/policy/test_ibpkey.te
+++ b/policy/test_ibpkey.te
@@ -22,6 +22,3 @@ corenet_ib_pkey(test_ibpkey_t)
ifdef(`corenet_ib_access_unlabeled_pkeys',`
corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t)
')
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(ibpkeydomain)
diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te
index dd0e83c..5feb801 100644
--- a/policy/test_inet_socket.te
+++ b/policy/test_inet_socket.te
@@ -158,6 +158,3 @@ allow test_inet_client_t test_server_packet_t:packet { send recv };
# Send/recv unlabeled packets.
kernel_sendrecv_unlabeled_packets(inetsocketdomain)
kernel_recvfrom_unlabeled_peer(inetsocketdomain)
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(inetsocketdomain)
diff --git a/policy/test_inherit.te b/policy/test_inherit.te
index 15ab8fc..da26ea3 100644
--- a/policy/test_inherit.te
+++ b/policy/test_inherit.te
@@ -31,9 +31,6 @@ type test_inherit_nowrite_t;
testsuite_domain_type(test_inherit_nowrite_t)
typeattribute test_inherit_nowrite_t inheritdomain;
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(inheritdomain)
-
# Grant the necessary permissions for the parent domain.
allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms;
diff --git a/policy/test_ioctl.te b/policy/test_ioctl.te
index 955695d..dc645f4 100644
--- a/policy/test_ioctl.te
+++ b/policy/test_ioctl.te
@@ -30,7 +30,6 @@ libs_exec_lib_files(ioctldomain)
# Allow all of these domains to be entered from sysadm domain
# via a shell script in the test directory or by....
-miscfiles_domain_entry_test_files(ioctldomain)
corecmd_bin_entry_type(ioctldomain)
sysadm_bin_spec_domtrans_to(ioctldomain)
diff --git a/policy/test_ipc.te b/policy/test_ipc.te
index f68d35c..21d997b 100644
--- a/policy/test_ipc.te
+++ b/policy/test_ipc.te
@@ -67,7 +67,6 @@ fs_rw_tmpfs_files(ipcdomain)
# Allow all of these domains to be entered from user domains.
# via a shell script in the test directory or by another program.
-miscfiles_domain_entry_test_files(ipcdomain)
corecmd_bin_entry_type(ipcdomain)
sysadm_bin_spec_domtrans_to(ipcdomain)
diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te
index 2763472..27a1545 100644
--- a/policy/test_key_socket.te
+++ b/policy/test_key_socket.te
@@ -48,10 +48,5 @@ typeattribute test_key_sock_no_read_t keysockdomain;
allow test_key_sock_no_read_t self:capability { net_admin };
allow test_key_sock_no_read_t self:key_socket { create write setopt };
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(keysockdomain)
-
# For CONFIG_NET_KEY=m
kernel_request_load_module(keysockdomain)
diff --git a/policy/test_keys.te b/policy/test_keys.te
index de1b46c..250950e 100644
--- a/policy/test_keys.te
+++ b/policy/test_keys.te
@@ -164,8 +164,3 @@ typeattribute test_request_keys_no_link_t keydomain;
allow test_request_keys_no_link_t self:key { create write search read view link setattr };
allow test_request_keys_no_link_t test_keyring_service_t:key { read write search view setattr };
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(keydomain)
diff --git a/policy/test_mmap.te b/policy/test_mmap.te
index eb59dbe..d0850cc 100644
--- a/policy/test_mmap.te
+++ b/policy/test_mmap.te
@@ -152,6 +152,3 @@ testsuite_domain_type(test_no_execmod_t)
typeattribute test_no_execmod_t mmaptestdomain;
allow test_no_execmod_t test_mmap_file_t:file { open read execute };
allow_map(test_no_execmod_t, test_mmap_file_t, file)
-
-# Allow entrypoint via the test programs.
-miscfiles_domain_entry_test_files(mmaptestdomain)
diff --git a/policy/test_module_load.te b/policy/test_module_load.te
index 770b2dd..a856706 100644
--- a/policy/test_module_load.te
+++ b/policy/test_module_load.te
@@ -41,8 +41,3 @@ allow test_kmodule_deny_module_request_t test_file_t:system { module_load };
allow test_kmodule_deny_module_request_t self:system { module_load };
allow_lockdown_integrity(test_kmodule_deny_module_request_t)
neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request };
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(kmoduledomain)
diff --git a/policy/test_mqueue.te b/policy/test_mqueue.te
index ea3fa68..65ffe6d 100644
--- a/policy/test_mqueue.te
+++ b/policy/test_mqueue.te
@@ -55,9 +55,6 @@ type mqop_mqrw_t;
files_type(mqop_mqrw_t)
-# basic permision for all mqopdomains
-miscfiles_domain_entry_test_files(mqopdomain)
-
corecmd_bin_entry_type(mqopdomain)
sysadm_bin_spec_domtrans_to(mqopdomain)
diff --git a/policy/test_netlink_socket.te b/policy/test_netlink_socket.te
index 589e372..b6d39c2 100644
--- a/policy/test_netlink_socket.te
+++ b/policy/test_netlink_socket.te
@@ -41,8 +41,5 @@ netlink_socket_test(netlink_crypto_socket)
# Common rules for all netlink socket class test domains.
#
-# Entry into the test domains via the test program.
-miscfiles_domain_entry_test_files(netlinksocktestdomain)
-
# Trigger kernel module auto-loading of the protocol implementations.
kernel_request_load_module(netlinksocktestdomain)
diff --git a/policy/test_notify.te b/policy/test_notify.te
index 4ffd287..fe60274 100644
--- a/policy/test_notify.te
+++ b/policy/test_notify.te
@@ -73,5 +73,3 @@ testsuite_domain_type(test_rdonly_t)
typeattribute test_rdonly_t test_notify_domain;
allow test_rdonly_t test_notify_file_t:dir { read open watch };
-
-miscfiles_domain_entry_test_files(test_notify_domain)
diff --git a/policy/test_open.te b/policy/test_open.te
index 0d662f0..f01a5fe 100644
--- a/policy/test_open.te
+++ b/policy/test_open.te
@@ -28,6 +28,3 @@ type test_append_t;
testsuite_domain_type(test_append_t)
typeattribute test_append_t test_open_domain;
allow test_append_t test_open_file_t:file append_file_perms;
-
-# Allow all of these domains to be entered from sysadm domain
-miscfiles_domain_entry_test_files(test_open_domain)
diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
index 8a914ff..5db46cd 100644
--- a/policy/test_perf_event.te
+++ b/policy/test_perf_event.te
@@ -70,8 +70,3 @@ typeattribute test_perf_no_write_t perfdomain;
allow test_perf_no_write_t self:capability2 { perfmon };
allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read };
allow_lockdown_confidentiality(test_perf_no_write_t)
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(perfdomain)
diff --git a/policy/test_prlimit.te b/policy/test_prlimit.te
index 4b6a5c8..b0314f3 100644
--- a/policy/test_prlimit.te
+++ b/policy/test_prlimit.te
@@ -36,10 +36,3 @@ spec_domtrans_pattern(test_no_$1_t, test_file_t, test_$1_child_t)
prlimit_test(setrlimit)
prlimit_test(getrlimit)
-
-#
-# Common rules for all prlimit test domains.
-#
-
-# Entry into the test domains via the test program.
-miscfiles_domain_entry_test_files(prlimittestdomain)
diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te
index f327cc5..8c1d71c 100644
--- a/policy/test_ptrace.te
+++ b/policy/test_ptrace.te
@@ -33,10 +33,6 @@ userdom_search_user_home_dirs(test_ptrace_traced_t)
# Let the tracer wait on the traced domain.
allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;
-# Allow all of these domains to be entered from the sysadm domains.
-# via a program in the test directory.
-miscfiles_domain_entry_test_files(ptracedomain)
-
# Allow execution of helper programs.
corecmd_exec_bin(ptracedomain)
domain_exec_all_entry_files(ptracedomain)
diff --git a/policy/test_sctp.te b/policy/test_sctp.te
index 7b24b8c..e276153 100644
--- a/policy/test_sctp.te
+++ b/policy/test_sctp.te
@@ -229,8 +229,3 @@ allow sctpsocketdomain proc_net_t:file { read };
allow sctpsocketdomain sysctl_net_t:dir { search };
allow sctpsocketdomain self:udp_socket { create };
allow sctpsocketdomain self:unix_dgram_socket { create ioctl };
-
-#
-############ Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(sctpsocketdomain)
diff --git a/policy/test_setnice.te b/policy/test_setnice.te
index 34a2e73..2c34643 100644
--- a/policy/test_setnice.te
+++ b/policy/test_setnice.te
@@ -31,7 +31,6 @@ libs_exec_lib_files(setnicedomain)
# Allow all of these domains to be entered from sysadm domain
# via a shell script in the test directory or by....
-miscfiles_domain_entry_test_files(setnicedomain)
domain_transition_pattern(sysadm_t, test_file_t, setnicedomain)
domain_transition_pattern(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t})
allow test_setnice_change_t test_setnice_set_t:fd use;
diff --git a/policy/test_sigkill.te b/policy/test_sigkill.te
index 04bed89..1aaa0af 100644
--- a/policy/test_sigkill.te
+++ b/policy/test_sigkill.te
@@ -40,7 +40,6 @@ allow test_kill_signal_t test_kill_server_t:process signal;
# Allow all of these domains to be entered from the sysadm domains,
# via kill or a program in the test directory.
-miscfiles_domain_entry_test_files(killdomain)
corecmd_bin_entry_type(killdomain)
sysadm_bin_spec_domtrans_to(killdomain)
diff --git a/policy/test_task_create.te b/policy/test_task_create.te
index 54acb50..b90b2e3 100644
--- a/policy/test_task_create.te
+++ b/policy/test_task_create.te
@@ -20,8 +20,3 @@ type test_create_no_t;
# as it makes the permission effectively unusable in real policy.
testsuite_domain_type_minimal(test_create_no_t)
typeattribute test_create_no_t test_create_d;
-
-# General rules for the test_create_d
-
-# Allow domain to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(test_create_d)
diff --git a/policy/test_task_getpgid.te b/policy/test_task_getpgid.te
index dad584e..4c499f7 100644
--- a/policy/test_task_getpgid.te
+++ b/policy/test_task_getpgid.te
@@ -24,8 +24,5 @@ type test_getpgid_no_t;
testsuite_domain_type(test_getpgid_no_t)
typeattribute test_getpgid_no_t test_getpgid_d;
-# Allow domain to be entered from the sysadm domain
-miscfiles_domain_entry_test_files(test_getpgid_d)
-
# Give test_getpgid_yes_t the permission needed.
allow test_getpgid_yes_t test_getpgid_target_t:process getpgid;
diff --git a/policy/test_task_getsched.te b/policy/test_task_getsched.te
index f541d58..98b267f 100644
--- a/policy/test_task_getsched.te
+++ b/policy/test_task_getsched.te
@@ -24,8 +24,5 @@ type test_getsched_no_t;
testsuite_domain_type(test_getsched_no_t)
typeattribute test_getsched_no_t test_getsched_d;
-# Allow domain to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(test_getsched_d)
-
# Give test_getsched_yes_t the permission needed.
allow test_getsched_yes_t test_getsched_target_t:process getsched;
diff --git a/policy/test_task_getsid.te b/policy/test_task_getsid.te
index 8c21d9a..b53d454 100644
--- a/policy/test_task_getsid.te
+++ b/policy/test_task_getsid.te
@@ -24,8 +24,5 @@ type test_getsid_no_t;
testsuite_domain_type(test_getsid_no_t)
typeattribute test_getsid_no_t test_getsid_d;
-# Allow domain to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(test_getsid_d)
-
# Give test_getsid_yes_t the permission needed.
allow test_getsid_yes_t test_getsid_target_t:process getsession;
diff --git a/policy/test_task_setpgid.te b/policy/test_task_setpgid.te
index 25e06d4..bb8afa7 100644
--- a/policy/test_task_setpgid.te
+++ b/policy/test_task_setpgid.te
@@ -15,6 +15,3 @@ typeattribute test_setpgid_yes_t test_setpgid_d;
type test_setpgid_no_t;
testsuite_domain_type_minimal(test_setpgid_no_t)
typeattribute test_setpgid_no_t test_setpgid_d;
-
-# Allow domain to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(test_setpgid_d)
diff --git a/policy/test_task_setsched.te b/policy/test_task_setsched.te
index 432135e..3e75cf6 100644
--- a/policy/test_task_setsched.te
+++ b/policy/test_task_setsched.te
@@ -26,9 +26,6 @@ type test_setsched_no_t;
testsuite_domain_type(test_setsched_no_t)
typeattribute test_setsched_no_t test_setsched_d;
-# Allow domain to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(test_setsched_d)
-
# Allow these domains to execute renice.
corecmd_bin_entry_type(test_setsched_d)
diff --git a/policy/test_tun_tap.te b/policy/test_tun_tap.te
index e1aef8d..28efc10 100644
--- a/policy/test_tun_tap.te
+++ b/policy/test_tun_tap.te
@@ -91,8 +91,3 @@ allow test_newcon_no_from_tun_tap_t self:tun_socket { relabelto };
# For switch back on error:
allow test_tun_tap_t test_newcon_no_from_tun_tap_t:fd { use };
allow test_newcon_no_from_tun_tap_t test_tun_tap_t:process { dyntransition };
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(tuntapdomain)
diff --git a/policy/test_unix_socket.te b/policy/test_unix_socket.te
index 69720f0..f4e9e41 100644
--- a/policy/test_unix_socket.te
+++ b/policy/test_unix_socket.te
@@ -58,6 +58,3 @@ allow test_unix_server_t test_unix_dgram_client_t:unix_dgram_socket sendto;
type test_socketpair_t;
testsuite_domain_type(test_socketpair_t)
typeattribute test_socketpair_t unixsocketdomain;
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(unixsocketdomain)
diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
index 5cb7d1c..f5a6613 100644
--- a/policy/test_userfaultfd.te
+++ b/policy/test_userfaultfd.te
@@ -45,6 +45,3 @@ userfaultfd_domain_type(test_noread_uffd_t)
# userfaultfd(2) requires CAP_SYS_PTRACE
allow test_uffd_domain self:capability { sys_ptrace };
-
-# Allow all of these domains to be executed
-miscfiles_domain_entry_test_files(test_uffd_domain)
diff --git a/policy/test_vsock_socket.te b/policy/test_vsock_socket.te
index 4bb989a..dbd47f4 100644
--- a/policy/test_vsock_socket.te
+++ b/policy/test_vsock_socket.te
@@ -42,6 +42,3 @@ vsock_client(noread, connect create getattr getopt setopt shutdown write)
vsock_client(nogetattr, connect create getopt setopt read shutdown write)
vsock_client(nogetopt, connect create getattr setopt read shutdown write)
vsock_client(nosetopt, connect create getattr getopt read shutdown write)
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(vsocksocketdomain)
diff --git a/policy/test_watchkey.te b/policy/test_watchkey.te
index 101d68a..a85bd20 100644
--- a/policy/test_watchkey.te
+++ b/policy/test_watchkey.te
@@ -15,8 +15,3 @@ allow test_watchkey_t self:key { view };
type test_watchkey_no_view_t;
testsuite_domain_type(test_watchkey_no_view_t)
typeattribute test_watchkey_no_view_t watchkeydomain;
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(watchkeydomain)
--
2.37.1
next prev parent reply other threads:[~2022-07-29 12:02 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-29 12:02 [PATCH testsuite 00/24] Clean up testsuite policy and support running as sysadm_t Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 01/24] keys: change test_newcon_key_t to be just an object context Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 02/24] test_global.te: remove unused role require Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 03/24] test_global.te: don't add domains to system_r Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 06/24] test_policy.if: remove weird rule from testsuite_domain_type_minimal() Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 07/24] policy: move unconfined_t-related dontaudit rule to where it fits better Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 08/24] policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy Ondrej Mosnacek
2022-08-02 13:55 ` Daniel Burgener
2022-08-03 8:53 ` Ondrej Mosnacek
2022-08-04 11:54 ` Ondrej Mosnacek
2022-08-04 13:31 ` Daniel Burgener
2022-07-29 12:02 ` Ondrej Mosnacek [this message]
2022-08-02 13:58 ` [PATCH testsuite 09/24] policy: move miscfiles_domain_entry_test_files() " Daniel Burgener
2022-07-29 12:02 ` [PATCH testsuite 10/24] policy: substitute userdom_sysadm_entry_spec_domtrans_to() Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 11/24] test_general.te: move sysadm-related rules into an optional block Ondrej Mosnacek
2022-08-02 14:03 ` Daniel Burgener
2022-08-03 9:03 ` Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 12/24] test_filesystem.te: remove redundant dontaudit rules Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 13/24] test_filesystem.te: remove suspicious rules Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 14/24] tests/nnp_nosuid: avoid hardcoding unconfined_t in the policy Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 15/24] tests/*filesystem: remove weird uses of unconfined_t Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 16/24] policy: remove last hardcoded references to unconfined_t Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 17/24] test_general.te: generalize the dontaudit rule Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 18/24] policy: don't audit testsuite programs searching the caller's keys Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 19/24] ci: check for unconfined_t AVCs Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 20/24] tests/binder: check only the type part of the context Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 21/24] tests/overlay: don't hard-code SELinux user of the caller Ondrej Mosnacek
2022-08-02 17:16 ` Daniel Burgener
2022-08-03 9:00 ` Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 22/24] policy: give sysadm_t perms needed to run quotacheck(8) Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 23/24] tests/vsock_socket: use modprobe to check vsock availability Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 24/24] ci: add sysadm_t to the test matrix Ondrej Mosnacek
2022-07-30 20:13 ` Topi Miettinen
2022-08-01 7:57 ` Ondrej Mosnacek
2022-07-29 12:27 ` [PATCH testsuite 00/24] Clean up testsuite policy and support running as sysadm_t Ondrej Mosnacek
2022-08-01 8:02 ` Ondrej Mosnacek
2022-08-11 11:28 ` Ondrej Mosnacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220729120229.207584-10-omosnace@redhat.com \
--to=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.