[PATCH testsuite 00/24] Clean up testsuite policy and support running as sysadm_t

[PATCH testsuite 00/24] Clean up testsuite policy and support running as sysadm_t

[Ondrej Mosnacek]

This series aim for two things:
1. Refactor the policy so that it is easier to work with.
2. Leverage the refactoring to fully support running the testsuite
   as sysadm_u:sysadm_r:sysadm_t.

The gist of this work lies in unifying how test domains are defined,
deduplicating the various boilerplate spread out all across the
individual files (and not even used consistently), and in abstracting
the policy caller domain/role away from the individual test policies
into test_general.te. Some tests also had to be massaged to not
hard-code unconfined_* and be generic against the context of the
testsuite caller.

The series also extends the CI to test running the testsuite as sysadm_*
and also verify that no unconfined_t/sysadm_t unexpected denials are
produced (which would usually indicate a missing dontaudit rule in the
testsuite policy).

Ondrej Mosnacek (24):
  keys: change test_newcon_key_t to be just an object context
  test_global.te: remove unused role require
  test_global.te: don't add domains to system_r
  policy: refactor declaring test domains
  policy: get rid of unconfined_runs_test()
  test_policy.if: remove weird rule from testsuite_domain_type_minimal()
  policy: move unconfined_t-related dontaudit rule to where it fits
    better
  policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy
  policy: move miscfiles_domain_entry_test_files() to general policy
  policy: substitute userdom_sysadm_entry_spec_domtrans_to()
  test_general.te: move sysadm-related rules into an optional block
  test_filesystem.te: remove redundant dontaudit rules
  test_filesystem.te: remove suspicious rules
  tests/nnp_nosuid: avoid hardcoding unconfined_t in the policy
  tests/*filesystem: remove weird uses of unconfined_t
  policy: remove last hardcoded references to unconfined_t
  test_general.te: generalize the dontaudit rule
  policy: don't audit testsuite programs searching the caller's keys
  ci: check for unconfined_t AVCs
  tests/binder: check only the type part of the context
  tests/overlay: don't hard-code SELinux user of the caller
  policy: give sysadm_t perms needed to run quotacheck(8)
  tests/vsock_socket: use modprobe to check vsock availability
  ci: add sysadm_t to the test matrix

 .github/workflows/checks.yml         |   4 +
 Vagrantfile                          |  16 +++
 policy/test_atsecure.te              |  15 +--
 policy/test_attrib.te                |   1 -
 policy/test_binder.te                |  38 ++-----
 policy/test_binder_bpf.te            |  22 +---
 policy/test_bounds.te                |  11 +-
 policy/test_bpf.te                   |  30 +----
 policy/test_cap_userns.te            |   9 +-
 policy/test_capable_file.te          |  18 +--
 policy/test_capable_net.te           |   8 +-
 policy/test_capable_sys.te           |   8 +-
 policy/test_dyntrace.te              |  14 +--
 policy/test_dyntrans.te              |  17 +--
 policy/test_entrypoint.te            |   5 +-
 policy/test_execshare.te             |  16 +--
 policy/test_exectrace.te             |  16 +--
 policy/test_execute_no_trans.te      |   5 +-
 policy/test_extended_socket_class.te |  12 +-
 policy/test_fdreceive.te             |  16 +--
 policy/test_fdreceive_bpf.te         |  16 +--
 policy/test_file.te                  |  16 +--
 policy/test_filesystem.te            |  99 ++++-------------
 policy/test_filesystem_name_trans.te |   4 +-
 policy/test_filesystem_notify.te     |  12 +-
 policy/test_global.te                | 157 ++++++++++++++++++---------
 policy/test_ibendport.te             |   8 +-
 policy/test_ibpkey.te                |   8 +-
 policy/test_inet_socket.te           |  44 ++------
 policy/test_inherit.te               |  20 +---
 policy/test_ioctl.te                 |  10 +-
 policy/test_ioctl_xperms.te          |   8 +-
 policy/test_ipc.te                   |  18 +--
 policy/test_key_socket.te            |  26 +----
 policy/test_keys.te                  | 104 ++++--------------
 policy/test_link.te                  |  24 +---
 policy/test_mac_admin.te             |   9 +-
 policy/test_mkdir.te                 |  20 +---
 policy/test_mmap.te                  |  79 ++++----------
 policy/test_module_load.te           |  47 ++------
 policy/test_mqueue.te                |  16 +--
 policy/test_netlink_socket.te        |  12 +-
 policy/test_nnp_nosuid.te            |  46 ++++----
 policy/test_notify.te                |  35 ++----
 policy/test_open.te                  |  16 +--
 policy/test_overlayfs.te             |  15 +--
 policy/test_perf_event.te            |  38 ++-----
 policy/test_policy.if                |  71 ++++++------
 policy/test_prlimit.te               |  20 +---
 policy/test_ptrace.te                |  17 +--
 policy/test_readlink.te              |   8 +-
 policy/test_relabel.te               |  12 +-
 policy/test_rename.te                |  32 ++----
 policy/test_rxdir.te                 |   8 +-
 policy/test_sctp.te                  |  52 ++-------
 policy/test_setattr.te               |   8 +-
 policy/test_setnice.te               |  13 +--
 policy/test_sigkill.te               |  22 +---
 policy/test_stat.te                  |   8 +-
 policy/test_sysctl.te                |   8 +-
 policy/test_task_create.te           |  38 +------
 policy/test_task_getpgid.te          |  16 +--
 policy/test_task_getsched.te         |  16 +--
 policy/test_task_getsid.te           |  16 +--
 policy/test_task_setpgid.te          |  34 +-----
 policy/test_task_setsched.te         |  16 +--
 policy/test_transition.te            |  15 +--
 policy/test_tun_tap.te               |  34 ++----
 policy/test_unix_socket.te           |  20 +---
 policy/test_userfaultfd.te           |   8 +-
 policy/test_vsock_socket.te          |  12 +-
 policy/test_watchkey.te              |  14 +--
 tests/binder/binder_common.h         |   1 +
 tests/binder/service_provider.c      |  31 ++++--
 tests/binder/test                    |   2 +-
 tests/filesystem/test                |   4 +-
 tests/fs_filesystem/test             |   4 +-
 tests/keys/test                      |   2 +-
 tests/nfs_filesystem/test            |   4 +-
 tests/nnp_nosuid/test                |  45 +++++---
 tests/overlay/setup-overlay          |   2 +-
 tests/overlay/test                   |  34 +++---
 tests/vsock_socket/.gitignore        |   1 -
 tests/vsock_socket/Makefile          |   2 +-
 tests/vsock_socket/check_vsock.c     |  47 --------
 tests/vsock_socket/test              |  11 +-
 86 files changed, 550 insertions(+), 1346 deletions(-)
 delete mode 100644 tests/vsock_socket/check_vsock.c

-- 
2.37.1

[PATCH testsuite 01/24] keys: change test_newcon_key_t to be just an object context

[Ondrej Mosnacek]

It's only used to test chaing the label of a key, so there is no need to
declare it as a domain type.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_keys.te | 4 ----
 tests/keys/test     | 2 +-
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/policy/test_keys.te b/policy/test_keys.te
index 78c0663..f6a3f2c 100644
--- a/policy/test_keys.te
+++ b/policy/test_keys.te
@@ -40,10 +40,6 @@ allow test_key_t self:key { create write search read view link setattr };
 
 # Set new context on a keyring:
 type test_newcon_key_t;
-key_domain_type(test_newcon_key_t)
-unconfined_runs_test(test_newcon_key_t)
-typeattribute test_newcon_key_t testdomain;
-typeattribute test_newcon_key_t keydomain;
 
 allow test_key_t test_newcon_key_t:key { create write search view };
 
diff --git a/tests/keys/test b/tests/keys/test
index 2dafb17..061bc62 100755
--- a/tests/keys/test
+++ b/tests/keys/test
@@ -67,7 +67,7 @@ ok( $result >> 8 eq 11 );
 
 print "Change keyring context\n";
 $result = system
-"runcon -t test_key_t $basedir/keyctl_relabel $v system_u:system_r:test_newcon_key_t:s0";
+"runcon -t test_key_t $basedir/keyctl_relabel $v system_u:object_r:test_newcon_key_t:s0";
 ok( $result eq 0 );
 
 print "Test permission checks between a keyring created by another process\n";
-- 
2.37.1

[PATCH testsuite 02/24] test_global.te: remove unused role require

[Ondrej Mosnacek]

The staff_r role is not used and can be dropped.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_global.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/test_global.te b/policy/test_global.te
index d19b4be..dae20d6 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -9,7 +9,6 @@ policy_module(test_policy,1.0.0)
 attribute testdomain;
 
 gen_require(`
-	role staff_r;
 	role system_r;
 	role sysadm_r;
 ')
-- 
2.37.1

[PATCH testsuite 03/24] test_global.te: don't add domains to system_r

[Ondrej Mosnacek]

It doesn't seem to be useful and is unlikely to work without extra rules
anyway.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_global.te | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/policy/test_global.te b/policy/test_global.te
index dae20d6..800e55f 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -9,13 +9,11 @@ policy_module(test_policy,1.0.0)
 attribute testdomain;
 
 gen_require(`
-	role system_r;
 	role sysadm_r;
 ')
 
-# Authorize sysadm_r and system_r for the test domains.
+# Authorize sysadm_r for the test domains.
 role sysadm_r types testdomain;
-role system_r types testdomain;
 
 # Allow the test domains to access the sysadm terminal.
 # This allows read and write sysadm ttys and ptys.
-- 
2.37.1

[PATCH testsuite 06/24] test_policy.if: remove weird rule from testsuite_domain_type_minimal()

[Ondrej Mosnacek]

The rule doesn't depend on the target domain, so it doesn't make sense
for it to be there.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_policy.if | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/test_policy.if b/policy/test_policy.if
index 4912efd..f17a384 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -49,7 +49,7 @@ interface(`testsuite_domain_type',`
 
 interface(`testsuite_domain_type_minimal',`
 	gen_require(`
-		type setrans_var_run_t, syslogd_t, unconfined_t;
+		type setrans_var_run_t, unconfined_t;
 	')
 
 	testsuite_domain_type_common($1)
@@ -59,7 +59,6 @@ interface(`testsuite_domain_type_minimal',`
 	allow $1 proc_t:lnk_file { read };
 	allow $1 self:dir { search };
 	allow $1 self:file { open read write };
-	dontaudit init_t syslogd_t:fd use;
 	dontaudit $1 security_t:filesystem getattr;
 	dontaudit $1 self:file getattr;
 	dontaudit $1 setrans_var_run_t:dir search;
-- 
2.37.1

[PATCH testsuite 07/24] policy: move unconfined_t-related dontaudit rule to where it fits better

[Ondrej Mosnacek]

Even though it is only needed for the 'minimal' domains, it will be
cleaner to apply it to all of them inside the optional block.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_global.te | 2 ++
 policy/test_policy.if | 3 +--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/test_global.te b/policy/test_global.te
index 83e573c..03acc19 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -21,6 +21,8 @@ optional_policy(`
 	allow testsuite_domain unconfined_t:fd use;
 	allow testsuite_domain unconfined_t:fifo_file { read write ioctl getattr };
 	allow testsuite_domain unconfined_t:process { sigchld };
+	# needed for domains outside domain_type()
+	dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh };
 ')
 
 gen_require(`
diff --git a/policy/test_policy.if b/policy/test_policy.if
index f17a384..6cef8dd 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -49,7 +49,7 @@ interface(`testsuite_domain_type',`
 
 interface(`testsuite_domain_type_minimal',`
 	gen_require(`
-		type setrans_var_run_t, unconfined_t;
+		type setrans_var_run_t;
 	')
 
 	testsuite_domain_type_common($1)
@@ -62,7 +62,6 @@ interface(`testsuite_domain_type_minimal',`
 	dontaudit $1 security_t:filesystem getattr;
 	dontaudit $1 self:file getattr;
 	dontaudit $1 setrans_var_run_t:dir search;
-	dontaudit unconfined_t $1:process { noatsecure rlimitinh siginh };
 ')
 
 # Workarounds for refpolicy:
-- 
2.37.1

[PATCH testsuite 08/24] policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy

[Ondrej Mosnacek]

This is good to have for pretty much all domains, so remove the
individual calls and move it to test_general.te.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_atsecure.te              | 3 ---
 policy/test_binder.te                | 1 -
 policy/test_binder_bpf.te            | 1 -
 policy/test_bpf.te                   | 1 -
 policy/test_capable_file.te          | 1 -
 policy/test_dyntrace.te              | 1 -
 policy/test_dyntrans.te              | 1 -
 policy/test_entrypoint.te            | 1 -
 policy/test_execshare.te             | 1 -
 policy/test_exectrace.te             | 1 -
 policy/test_execute_no_trans.te      | 1 -
 policy/test_extended_socket_class.te | 1 -
 policy/test_fdreceive.te             | 1 -
 policy/test_fdreceive_bpf.te         | 1 -
 policy/test_file.te                  | 1 -
 policy/test_filesystem.te            | 1 -
 policy/test_global.te                | 3 +++
 policy/test_ibendport.te             | 1 -
 policy/test_ibpkey.te                | 1 -
 policy/test_inet_socket.te           | 1 -
 policy/test_inherit.te               | 1 -
 policy/test_ioctl.te                 | 1 -
 policy/test_ipc.te                   | 1 -
 policy/test_key_socket.te            | 1 -
 policy/test_keys.te                  | 1 -
 policy/test_mac_admin.te             | 1 -
 policy/test_module_load.te           | 1 -
 policy/test_mqueue.te                | 1 -
 policy/test_netlink_socket.te        | 1 -
 policy/test_notify.te                | 1 -
 policy/test_open.te                  | 1 -
 policy/test_perf_event.te            | 1 -
 policy/test_prlimit.te               | 1 -
 policy/test_ptrace.te                | 1 -
 policy/test_sctp.te                  | 1 -
 policy/test_sigkill.te               | 1 -
 policy/test_task_create.te           | 1 -
 policy/test_task_getpgid.te          | 1 -
 policy/test_task_getsched.te         | 1 -
 policy/test_task_getsid.te           | 1 -
 policy/test_task_setpgid.te          | 1 -
 policy/test_task_setsched.te         | 1 -
 policy/test_transition.te            | 3 ---
 policy/test_tun_tap.te               | 1 -
 policy/test_unix_socket.te           | 1 -
 policy/test_userfaultfd.te           | 1 -
 policy/test_vsock_socket.te          | 1 -
 policy/test_watchkey.te              | 1 -
 48 files changed, 3 insertions(+), 51 deletions(-)

diff --git a/policy/test_atsecure.te b/policy/test_atsecure.te
index f7ab29a..90e58f1 100644
--- a/policy/test_atsecure.te
+++ b/policy/test_atsecure.te
@@ -35,6 +35,3 @@ allow_map(atsecuredomain, test_file_t, file)
 # Only allow the allowed domain noatsecure permission to the
 # new domain.
 allow test_atsecure_allowed_t test_atsecure_newdomain_t:process noatsecure;
-
-# Allow all of these domains to be entered from the sysadm domain.
-userdom_sysadm_entry_spec_domtrans_to(atsecuredomain)
diff --git a/policy/test_binder.te b/policy/test_binder.te
index e74a2fc..096c467 100644
--- a/policy/test_binder.te
+++ b/policy/test_binder.te
@@ -99,4 +99,3 @@ allow_map(test_binder_client_no_transfer_t, device_t, chr_file)
 ########### Allow these domains to be entered from sysadm domain ############
 #
 miscfiles_domain_entry_test_files(binderdomain)
-userdom_sysadm_entry_spec_domtrans_to(binderdomain)
diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te
index 8c04d19..2d91af2 100644
--- a/policy/test_binder_bpf.te
+++ b/policy/test_binder_bpf.te
@@ -62,4 +62,3 @@ allow_map(test_binder_client_no_bpf_perm_t, device_t, chr_file)
 ########### Allow these domains to be entered from sysadm domain ############
 #
 miscfiles_domain_entry_test_files(binderbpfdomain)
-userdom_sysadm_entry_spec_domtrans_to(binderbpfdomain)
diff --git a/policy/test_bpf.te b/policy/test_bpf.te
index 58daebd..fb21c29 100644
--- a/policy/test_bpf.te
+++ b/policy/test_bpf.te
@@ -62,4 +62,3 @@ allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_loa
 ############ Allow these domains to be entered from sysadm domain ############
 #
 miscfiles_domain_entry_test_files(bpfdomain)
-userdom_sysadm_entry_spec_domtrans_to(bpfdomain)
diff --git a/policy/test_capable_file.te b/policy/test_capable_file.te
index 73ad856..9ce9487 100644
--- a/policy/test_capable_file.te
+++ b/policy/test_capable_file.te
@@ -40,7 +40,6 @@ libs_exec_lib_files(capabledomain)
 
 # Allow test_file_t and bin_t to be entered from sysadm role
 miscfiles_domain_entry_test_files(capabledomain)
-userdom_sysadm_entry_spec_domtrans_to(capabledomain)
 corecmd_bin_entry_type(capabledomain)
 sysadm_bin_spec_domtrans_to(capabledomain)
 
diff --git a/policy/test_dyntrace.te b/policy/test_dyntrace.te
index 28836b8..0a598a4 100644
--- a/policy/test_dyntrace.te
+++ b/policy/test_dyntrace.te
@@ -26,7 +26,6 @@ typeattribute test_dyntrace_notchild_t dyntracedomain;
 
 # Allow test_files_t to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(dyntracedomain)
-userdom_sysadm_entry_spec_domtrans_to(dyntracedomain)
 miscfiles_exec_test_files(dyntracedomain)
 
 # Grant the necessary permissions for the child domain.
diff --git a/policy/test_dyntrans.te b/policy/test_dyntrans.te
index c749340..e4110c5 100644
--- a/policy/test_dyntrans.te
+++ b/policy/test_dyntrans.te
@@ -26,5 +26,4 @@ allow test_dyntrans_fromdomain_t test_dyntrans_todomain_t:process dyntransition;
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(dyntransdomain)
-userdom_sysadm_entry_spec_domtrans_to(dyntransdomain)
 
diff --git a/policy/test_entrypoint.te b/policy/test_entrypoint.te
index 28f4705..1fcbf0c 100644
--- a/policy/test_entrypoint.te
+++ b/policy/test_entrypoint.te
@@ -16,5 +16,4 @@ corecmd_exec_bin(test_entrypoint_t)
 
 # Allow this domain to be entered via its entrypoint type.
 domain_entry_file(test_entrypoint_t, test_entrypoint_execute_t)
-userdom_sysadm_entry_spec_domtrans_to(test_entrypoint_t)
 
diff --git a/policy/test_execshare.te b/policy/test_execshare.te
index 6d8b12e..22ed09f 100644
--- a/policy/test_execshare.te
+++ b/policy/test_execshare.te
@@ -22,7 +22,6 @@ typeattribute test_execshare_notchild_t execsharedomain;
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(execsharedomain)
-userdom_sysadm_entry_spec_domtrans_to(execsharedomain)
 
 # Grant the necessary permissions for the child domain.
 domain_entry_file_spec_domtrans(test_execshare_parent_t, test_execshare_child_t)
diff --git a/policy/test_exectrace.te b/policy/test_exectrace.te
index a4a8b96..302ba80 100644
--- a/policy/test_exectrace.te
+++ b/policy/test_exectrace.te
@@ -25,7 +25,6 @@ typeattribute test_exectrace_notchild_t exectracedomain;
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(exectracedomain)
-userdom_sysadm_entry_spec_domtrans_to(exectracedomain)
 
 # Grant the necessary permissions for the child domain.
 domain_entry_file_spec_domtrans(test_exectrace_parent_t, test_exectrace_child_t)
diff --git a/policy/test_execute_no_trans.te b/policy/test_execute_no_trans.te
index d0a46bc..e310353 100644
--- a/policy/test_execute_no_trans.te
+++ b/policy/test_execute_no_trans.te
@@ -18,7 +18,6 @@ testsuite_domain_type(test_execute_notrans_t);
 
 # Allow this domain to be entered via the shell.
 corecmd_shell_entry_type(test_execute_notrans_t)
-userdom_sysadm_entry_spec_domtrans_to(test_execute_notrans_t)
 
 #Allow test_execute_notrans permissions to the allowed type
 can_exec(test_execute_notrans_t,test_execute_notrans_allowed_t)
diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te
index 75636ec..681a71d 100644
--- a/policy/test_extended_socket_class.te
+++ b/policy/test_extended_socket_class.te
@@ -57,4 +57,3 @@ kernel_request_load_module(extsocktestdomain)
 
 # Entry into the test domains via the test program.
 miscfiles_domain_entry_test_files(extsocktestdomain)
-userdom_sysadm_entry_spec_domtrans_to(extsocktestdomain)
diff --git a/policy/test_fdreceive.te b/policy/test_fdreceive.te
index e060ffd..9987503 100644
--- a/policy/test_fdreceive.te
+++ b/policy/test_fdreceive.te
@@ -32,7 +32,6 @@ typeattribute test_fdreceive_server_t fdreceivedomain;
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(fdreceivedomain)
-userdom_sysadm_entry_spec_domtrans_to(fdreceivedomain)
 
 # Grant the necessary permissions for the server domain.
 ## Create the Unix domain socket file.
diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te
index 5a23931..264a703 100644
--- a/policy/test_fdreceive_bpf.te
+++ b/policy/test_fdreceive_bpf.te
@@ -51,4 +51,3 @@ allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write };
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(fdreceivebpfdomain)
-userdom_sysadm_entry_spec_domtrans_to(fdreceivebpfdomain)
diff --git a/policy/test_file.te b/policy/test_file.te
index e20ae3e..9acc211 100644
--- a/policy/test_file.te
+++ b/policy/test_file.te
@@ -55,7 +55,6 @@ libs_exec_lib_files(fileopdomain)
 
 # Allow all of these domains to be entered from sysadm domain
 miscfiles_domain_entry_test_files(fileopdomain)
-userdom_sysadm_entry_spec_domtrans_to(fileopdomain)
 
 corecmd_bin_entry_type(fileopdomain)
 sysadm_bin_spec_domtrans_to(fileopdomain)
diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
index 71075fb..fd06d5d 100644
--- a/policy/test_filesystem.te
+++ b/policy/test_filesystem.te
@@ -413,4 +413,3 @@ allow test_move_mount_no_mounton_t dosfs_t:filesystem { associate };
 ########### Allow these domains to be entered from sysadm domain ############
 #
 miscfiles_domain_entry_test_files(filesystemdomain)
-userdom_sysadm_entry_spec_domtrans_to(filesystemdomain)
diff --git a/policy/test_global.te b/policy/test_global.te
index 03acc19..5ef3b02 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -40,6 +40,9 @@ term_use_all_terms(testsuite_domain)
 allow testsuite_domain init_t:fd use;
 allow testsuite_domain initrc_t:fd use;
 
+# Allow the test domain to be entered from sysadm_t
+userdom_sysadm_entry_spec_domtrans_to(testsuite_domain)
+
 # Allow the test domains to access the test directory and files
 # even if they are not root owned.
 allow testsuite_domain self:capability { dac_override dac_read_search };
diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
index 674293f..a403be0 100644
--- a/policy/test_ibendport.te
+++ b/policy/test_ibendport.te
@@ -32,4 +32,3 @@ allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(ibendportdomain)
-userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te
index e65895f..de0f5e1 100644
--- a/policy/test_ibpkey.te
+++ b/policy/test_ibpkey.te
@@ -25,4 +25,3 @@ corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t)
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(ibpkeydomain)
-userdom_sysadm_entry_spec_domtrans_to(ibpkeydomain)
diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te
index da507d1..dd0e83c 100644
--- a/policy/test_inet_socket.te
+++ b/policy/test_inet_socket.te
@@ -161,4 +161,3 @@ kernel_recvfrom_unlabeled_peer(inetsocketdomain)
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(inetsocketdomain)
-userdom_sysadm_entry_spec_domtrans_to(inetsocketdomain)
diff --git a/policy/test_inherit.te b/policy/test_inherit.te
index 31d719e..15ab8fc 100644
--- a/policy/test_inherit.te
+++ b/policy/test_inherit.te
@@ -33,7 +33,6 @@ typeattribute test_inherit_nowrite_t inheritdomain;
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(inheritdomain)
-userdom_sysadm_entry_spec_domtrans_to(inheritdomain)
 
 # Grant the necessary permissions for the parent domain.
 allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms;
diff --git a/policy/test_ioctl.te b/policy/test_ioctl.te
index 24cff32..955695d 100644
--- a/policy/test_ioctl.te
+++ b/policy/test_ioctl.te
@@ -31,7 +31,6 @@ libs_exec_lib_files(ioctldomain)
 # Allow all of these domains to be entered from sysadm domain
 # via a shell script in the test directory or by....
 miscfiles_domain_entry_test_files(ioctldomain)
-userdom_sysadm_entry_spec_domtrans_to(ioctldomain)
 corecmd_bin_entry_type(ioctldomain)
 sysadm_bin_spec_domtrans_to(ioctldomain)
 
diff --git a/policy/test_ipc.te b/policy/test_ipc.te
index 07f8b4a..f68d35c 100644
--- a/policy/test_ipc.te
+++ b/policy/test_ipc.te
@@ -68,7 +68,6 @@ fs_rw_tmpfs_files(ipcdomain)
 # Allow all of these domains to be entered from user domains.
 # via a shell script in the test directory or by another program.
 miscfiles_domain_entry_test_files(ipcdomain)
-userdom_sysadm_entry_spec_domtrans_to(ipcdomain)
 corecmd_bin_entry_type(ipcdomain)
 sysadm_bin_spec_domtrans_to(ipcdomain)
 
diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te
index fad5dfd..2763472 100644
--- a/policy/test_key_socket.te
+++ b/policy/test_key_socket.te
@@ -52,7 +52,6 @@ allow test_key_sock_no_read_t self:key_socket { create write setopt };
 ########### Allow these domains to be entered from sysadm domain ############
 #
 miscfiles_domain_entry_test_files(keysockdomain)
-userdom_sysadm_entry_spec_domtrans_to(keysockdomain)
 
 # For CONFIG_NET_KEY=m
 kernel_request_load_module(keysockdomain)
diff --git a/policy/test_keys.te b/policy/test_keys.te
index 142a70c..de1b46c 100644
--- a/policy/test_keys.te
+++ b/policy/test_keys.te
@@ -169,4 +169,3 @@ allow test_request_keys_no_link_t test_keyring_service_t:key { read write search
 ########### Allow these domains to be entered from sysadm domain ############
 #
 miscfiles_domain_entry_test_files(keydomain)
-userdom_sysadm_entry_spec_domtrans_to(keydomain)
diff --git a/policy/test_mac_admin.te b/policy/test_mac_admin.te
index e816b03..d63dc80 100644
--- a/policy/test_mac_admin.te
+++ b/policy/test_mac_admin.te
@@ -47,4 +47,3 @@ allow mac_admintestdomain unlabeled_t:dir { getattr create };
 
 # Entry into the test domains via the test program.
 corecmd_bin_entry_type(mac_admintestdomain)
-userdom_sysadm_entry_spec_domtrans_to(mac_admintestdomain)
diff --git a/policy/test_module_load.te b/policy/test_module_load.te
index bbb805a..770b2dd 100644
--- a/policy/test_module_load.te
+++ b/policy/test_module_load.te
@@ -46,4 +46,3 @@ neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request }
 ########### Allow these domains to be entered from sysadm domain ############
 #
 miscfiles_domain_entry_test_files(kmoduledomain)
-userdom_sysadm_entry_spec_domtrans_to(kmoduledomain)
diff --git a/policy/test_mqueue.te b/policy/test_mqueue.te
index b9e84e7..ea3fa68 100644
--- a/policy/test_mqueue.te
+++ b/policy/test_mqueue.te
@@ -57,7 +57,6 @@ files_type(mqop_mqrw_t)
 
 # basic permision for all mqopdomains
 miscfiles_domain_entry_test_files(mqopdomain)
-userdom_sysadm_entry_spec_domtrans_to(mqopdomain)
 
 corecmd_bin_entry_type(mqopdomain)
 sysadm_bin_spec_domtrans_to(mqopdomain)
diff --git a/policy/test_netlink_socket.te b/policy/test_netlink_socket.te
index 0d6fc5e..589e372 100644
--- a/policy/test_netlink_socket.te
+++ b/policy/test_netlink_socket.te
@@ -43,7 +43,6 @@ netlink_socket_test(netlink_crypto_socket)
 
 # Entry into the test domains via the test program.
 miscfiles_domain_entry_test_files(netlinksocktestdomain)
-userdom_sysadm_entry_spec_domtrans_to(netlinksocktestdomain)
 
 # Trigger kernel module auto-loading of the protocol implementations.
 kernel_request_load_module(netlinksocktestdomain)
diff --git a/policy/test_notify.te b/policy/test_notify.te
index 86979a5..4ffd287 100644
--- a/policy/test_notify.te
+++ b/policy/test_notify.te
@@ -75,4 +75,3 @@ typeattribute test_rdonly_t test_notify_domain;
 allow test_rdonly_t test_notify_file_t:dir { read open watch };
 
 miscfiles_domain_entry_test_files(test_notify_domain)
-userdom_sysadm_entry_spec_domtrans_to(test_notify_domain)
diff --git a/policy/test_open.te b/policy/test_open.te
index acb31d8..0d662f0 100644
--- a/policy/test_open.te
+++ b/policy/test_open.te
@@ -31,4 +31,3 @@ allow test_append_t test_open_file_t:file append_file_perms;
 
 # Allow all of these domains to be entered from sysadm domain
 miscfiles_domain_entry_test_files(test_open_domain)
-userdom_sysadm_entry_spec_domtrans_to(test_open_domain)
diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
index 6d3828a..8a914ff 100644
--- a/policy/test_perf_event.te
+++ b/policy/test_perf_event.te
@@ -75,4 +75,3 @@ allow_lockdown_confidentiality(test_perf_no_write_t)
 ########### Allow these domains to be entered from sysadm domain ############
 #
 miscfiles_domain_entry_test_files(perfdomain)
-userdom_sysadm_entry_spec_domtrans_to(perfdomain)
diff --git a/policy/test_prlimit.te b/policy/test_prlimit.te
index 3f32136..4b6a5c8 100644
--- a/policy/test_prlimit.te
+++ b/policy/test_prlimit.te
@@ -43,4 +43,3 @@ prlimit_test(getrlimit)
 
 # Entry into the test domains via the test program.
 miscfiles_domain_entry_test_files(prlimittestdomain)
-userdom_sysadm_entry_spec_domtrans_to(prlimittestdomain)
diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te
index 34aa636..f327cc5 100644
--- a/policy/test_ptrace.te
+++ b/policy/test_ptrace.te
@@ -36,7 +36,6 @@ allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;
 # Allow all of these domains to be entered from the sysadm domains.
 # via a program in the test directory.
 miscfiles_domain_entry_test_files(ptracedomain)
-userdom_sysadm_entry_spec_domtrans_to(ptracedomain)
 
 # Allow execution of helper programs.
 corecmd_exec_bin(ptracedomain)
diff --git a/policy/test_sctp.te b/policy/test_sctp.te
index 4c18c72..7b24b8c 100644
--- a/policy/test_sctp.te
+++ b/policy/test_sctp.te
@@ -234,4 +234,3 @@ allow sctpsocketdomain self:unix_dgram_socket { create ioctl };
 ############ Allow these domains to be entered from sysadm domain ############
 #
 miscfiles_domain_entry_test_files(sctpsocketdomain)
-userdom_sysadm_entry_spec_domtrans_to(sctpsocketdomain)
diff --git a/policy/test_sigkill.te b/policy/test_sigkill.te
index a0dce3b..04bed89 100644
--- a/policy/test_sigkill.te
+++ b/policy/test_sigkill.te
@@ -41,7 +41,6 @@ allow test_kill_signal_t test_kill_server_t:process signal;
 # Allow all of these domains to be entered from the sysadm domains,
 # via kill or a program in the test directory.
 miscfiles_domain_entry_test_files(killdomain)
-userdom_sysadm_entry_spec_domtrans_to(killdomain)
 corecmd_bin_entry_type(killdomain)
 sysadm_bin_spec_domtrans_to(killdomain)
 
diff --git a/policy/test_task_create.te b/policy/test_task_create.te
index eb51cd2..54acb50 100644
--- a/policy/test_task_create.te
+++ b/policy/test_task_create.te
@@ -25,4 +25,3 @@ typeattribute test_create_no_t test_create_d;
 
 # Allow domain to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(test_create_d)
-userdom_sysadm_entry_spec_domtrans_to(test_create_d)
diff --git a/policy/test_task_getpgid.te b/policy/test_task_getpgid.te
index 1f81f56..dad584e 100644
--- a/policy/test_task_getpgid.te
+++ b/policy/test_task_getpgid.te
@@ -26,7 +26,6 @@ typeattribute test_getpgid_no_t test_getpgid_d;
 
 # Allow domain to be entered from the sysadm domain
 miscfiles_domain_entry_test_files(test_getpgid_d)
-userdom_sysadm_entry_spec_domtrans_to(test_getpgid_d)
 
 # Give test_getpgid_yes_t the permission needed.
 allow test_getpgid_yes_t test_getpgid_target_t:process getpgid;
diff --git a/policy/test_task_getsched.te b/policy/test_task_getsched.te
index c67019b..f541d58 100644
--- a/policy/test_task_getsched.te
+++ b/policy/test_task_getsched.te
@@ -26,7 +26,6 @@ typeattribute test_getsched_no_t test_getsched_d;
 
 # Allow domain to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(test_getsched_d)
-userdom_sysadm_entry_spec_domtrans_to(test_getsched_d)
 
 # Give test_getsched_yes_t the permission needed.
 allow test_getsched_yes_t test_getsched_target_t:process getsched;
diff --git a/policy/test_task_getsid.te b/policy/test_task_getsid.te
index e5a62f8..8c21d9a 100644
--- a/policy/test_task_getsid.te
+++ b/policy/test_task_getsid.te
@@ -26,7 +26,6 @@ typeattribute test_getsid_no_t test_getsid_d;
 
 # Allow domain to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(test_getsid_d)
-userdom_sysadm_entry_spec_domtrans_to(test_getsid_d)
 
 # Give test_getsid_yes_t the permission needed.
 allow test_getsid_yes_t test_getsid_target_t:process getsession;
diff --git a/policy/test_task_setpgid.te b/policy/test_task_setpgid.te
index 8e98859..25e06d4 100644
--- a/policy/test_task_setpgid.te
+++ b/policy/test_task_setpgid.te
@@ -18,4 +18,3 @@ typeattribute test_setpgid_no_t test_setpgid_d;
 
 # Allow domain to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(test_setpgid_d)
-userdom_sysadm_entry_spec_domtrans_to(test_setpgid_d)
diff --git a/policy/test_task_setsched.te b/policy/test_task_setsched.te
index c30157e..432135e 100644
--- a/policy/test_task_setsched.te
+++ b/policy/test_task_setsched.te
@@ -28,7 +28,6 @@ typeattribute test_setsched_no_t test_setsched_d;
 
 # Allow domain to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(test_setsched_d)
-userdom_sysadm_entry_spec_domtrans_to(test_setsched_d)
 
 # Allow these domains to execute renice.
 corecmd_bin_entry_type(test_setsched_d)
diff --git a/policy/test_transition.te b/policy/test_transition.te
index 8f1f4bf..4adc423 100644
--- a/policy/test_transition.te
+++ b/policy/test_transition.te
@@ -25,6 +25,3 @@ corecmd_bin_entry_type(transitiondomain)
 domain_transition_pattern(test_transition_fromdomain_t,bin_t,test_transition_todomain_t)
 allow test_transition_fromdomain_t test_transition_todomain_t:fd use;
 allow test_transition_todomain_t test_transition_fromdomain_t:fd use;
-
-# Allow all of these domains to be entered from the sysadm domain.
-userdom_sysadm_entry_spec_domtrans_to(transitiondomain)
diff --git a/policy/test_tun_tap.te b/policy/test_tun_tap.te
index be317a2..e1aef8d 100644
--- a/policy/test_tun_tap.te
+++ b/policy/test_tun_tap.te
@@ -96,4 +96,3 @@ allow test_newcon_no_from_tun_tap_t test_tun_tap_t:process { dyntransition };
 ########### Allow these domains to be entered from sysadm domain ############
 #
 miscfiles_domain_entry_test_files(tuntapdomain)
-userdom_sysadm_entry_spec_domtrans_to(tuntapdomain)
diff --git a/policy/test_unix_socket.te b/policy/test_unix_socket.te
index 924475e..69720f0 100644
--- a/policy/test_unix_socket.te
+++ b/policy/test_unix_socket.te
@@ -61,4 +61,3 @@ typeattribute test_socketpair_t unixsocketdomain;
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(unixsocketdomain)
-userdom_sysadm_entry_spec_domtrans_to(unixsocketdomain)
diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
index 0ca733b..5cb7d1c 100644
--- a/policy/test_userfaultfd.te
+++ b/policy/test_userfaultfd.te
@@ -48,4 +48,3 @@ allow test_uffd_domain self:capability { sys_ptrace };
 
 # Allow all of these domains to be executed
 miscfiles_domain_entry_test_files(test_uffd_domain)
-userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain)
diff --git a/policy/test_vsock_socket.te b/policy/test_vsock_socket.te
index abbcc0b..4bb989a 100644
--- a/policy/test_vsock_socket.te
+++ b/policy/test_vsock_socket.te
@@ -45,4 +45,3 @@ vsock_client(nosetopt, connect create getattr getopt read shutdown write)
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(vsocksocketdomain)
-userdom_sysadm_entry_spec_domtrans_to(vsocksocketdomain)
diff --git a/policy/test_watchkey.te b/policy/test_watchkey.te
index 9fa5a70..101d68a 100644
--- a/policy/test_watchkey.te
+++ b/policy/test_watchkey.te
@@ -20,4 +20,3 @@ typeattribute test_watchkey_no_view_t watchkeydomain;
 ########### Allow these domains to be entered from sysadm domain ############
 #
 miscfiles_domain_entry_test_files(watchkeydomain)
-userdom_sysadm_entry_spec_domtrans_to(watchkeydomain)
-- 
2.37.1

[PATCH testsuite 09/24] policy: move miscfiles_domain_entry_test_files() to general policy

[Ondrej Mosnacek]

This is good to have for pretty much all domains, so remove the
individual calls and move it to test_general.te.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_binder.te                | 5 -----
 policy/test_binder_bpf.te            | 5 -----
 policy/test_bounds.te                | 1 -
 policy/test_bpf.te                   | 5 -----
 policy/test_cap_userns.te            | 1 -
 policy/test_capable_file.te          | 1 -
 policy/test_dyntrace.te              | 1 -
 policy/test_dyntrans.te              | 4 ----
 policy/test_execshare.te             | 3 ---
 policy/test_exectrace.te             | 3 ---
 policy/test_extended_socket_class.te | 3 ---
 policy/test_fdreceive.te             | 3 ---
 policy/test_fdreceive_bpf.te         | 3 ---
 policy/test_file.te                  | 3 ---
 policy/test_filesystem.te            | 5 -----
 policy/test_global.te                | 4 +++-
 policy/test_ibendport.te             | 3 ---
 policy/test_ibpkey.te                | 3 ---
 policy/test_inet_socket.te           | 3 ---
 policy/test_inherit.te               | 3 ---
 policy/test_ioctl.te                 | 1 -
 policy/test_ipc.te                   | 1 -
 policy/test_key_socket.te            | 5 -----
 policy/test_keys.te                  | 5 -----
 policy/test_mmap.te                  | 3 ---
 policy/test_module_load.te           | 5 -----
 policy/test_mqueue.te                | 3 ---
 policy/test_netlink_socket.te        | 3 ---
 policy/test_notify.te                | 2 --
 policy/test_open.te                  | 3 ---
 policy/test_perf_event.te            | 5 -----
 policy/test_prlimit.te               | 7 -------
 policy/test_ptrace.te                | 4 ----
 policy/test_sctp.te                  | 5 -----
 policy/test_setnice.te               | 1 -
 policy/test_sigkill.te               | 1 -
 policy/test_task_create.te           | 5 -----
 policy/test_task_getpgid.te          | 3 ---
 policy/test_task_getsched.te         | 3 ---
 policy/test_task_getsid.te           | 3 ---
 policy/test_task_setpgid.te          | 3 ---
 policy/test_task_setsched.te         | 3 ---
 policy/test_tun_tap.te               | 5 -----
 policy/test_unix_socket.te           | 3 ---
 policy/test_userfaultfd.te           | 3 ---
 policy/test_vsock_socket.te          | 3 ---
 policy/test_watchkey.te              | 5 -----
 47 files changed, 3 insertions(+), 152 deletions(-)

diff --git a/policy/test_binder.te b/policy/test_binder.te
index 096c467..4c7974a 100644
--- a/policy/test_binder.te
+++ b/policy/test_binder.te
@@ -94,8 +94,3 @@ allow test_binder_client_no_transfer_t test_binder_mgr_t:binder { call };
 allow test_binder_client_no_transfer_t test_binder_provider_t:binder { call impersonate };
 allow test_binder_client_no_transfer_t device_t:chr_file { getattr ioctl open read write };
 allow_map(test_binder_client_no_transfer_t, device_t, chr_file)
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(binderdomain)
diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te
index 2d91af2..fa79320 100644
--- a/policy/test_binder_bpf.te
+++ b/policy/test_binder_bpf.te
@@ -57,8 +57,3 @@ allow test_binder_client_no_bpf_perm_t test_binder_bpf_mgr_t:binder { call };
 allow test_binder_client_no_bpf_perm_t test_binder_bpf_provider_t:fd { use };
 allow test_binder_client_no_bpf_perm_t device_t:chr_file { getattr ioctl open read write };
 allow_map(test_binder_client_no_bpf_perm_t, device_t, chr_file)
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(binderbpfdomain)
diff --git a/policy/test_bounds.te b/policy/test_bounds.te
index 60fbd0b..d132d8a 100644
--- a/policy/test_bounds.te
+++ b/policy/test_bounds.te
@@ -63,5 +63,4 @@ allow test_bounds_child_domain test_bounds_file_green_t : file { getattr setattr
 allow test_bounds_child_domain test_bounds_file_blue_t : file { getattr setattr };
 
 # Allow all of these domains to be entered from sysadm domain
-miscfiles_domain_entry_test_files(test_bounds_domain)
 sysadm_entry_spec_domtrans(test_bounds_domain)
diff --git a/policy/test_bpf.te b/policy/test_bpf.te
index fb21c29..5eab0bd 100644
--- a/policy/test_bpf.te
+++ b/policy/test_bpf.te
@@ -57,8 +57,3 @@ typeattribute test_bpf_deny_prog_run_t bpfdomain;
 allow test_bpf_deny_prog_run_t self:process { setrlimit };
 allow test_bpf_deny_prog_run_t self:capability { sys_resource sys_admin };
 allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load };
-
-#
-############ Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(bpfdomain)
diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
index fa90528..cfa510c 100644
--- a/policy/test_cap_userns.te
+++ b/policy/test_cap_userns.te
@@ -19,7 +19,6 @@ testsuite_domain_type(test_no_cap_userns_t)
 typeattribute test_no_cap_userns_t capusernsdomain;
 
 # Rules common to both domains.
-miscfiles_domain_entry_test_files(capusernsdomain)
 corecmd_exec_bin(capusernsdomain)
 
 # linux >= v5.12 needs setfcap to map UID 0
diff --git a/policy/test_capable_file.te b/policy/test_capable_file.te
index 9ce9487..2383f6e 100644
--- a/policy/test_capable_file.te
+++ b/policy/test_capable_file.te
@@ -39,7 +39,6 @@ libs_exec_ld_so(capabledomain)
 libs_exec_lib_files(capabledomain)
 
 # Allow test_file_t and bin_t to be entered from sysadm role
-miscfiles_domain_entry_test_files(capabledomain)
 corecmd_bin_entry_type(capabledomain)
 sysadm_bin_spec_domtrans_to(capabledomain)
 
diff --git a/policy/test_dyntrace.te b/policy/test_dyntrace.te
index 0a598a4..09f983a 100644
--- a/policy/test_dyntrace.te
+++ b/policy/test_dyntrace.te
@@ -25,7 +25,6 @@ testsuite_domain_type(test_dyntrace_notchild_t)
 typeattribute test_dyntrace_notchild_t dyntracedomain;
 
 # Allow test_files_t to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(dyntracedomain)
 miscfiles_exec_test_files(dyntracedomain)
 
 # Grant the necessary permissions for the child domain.
diff --git a/policy/test_dyntrans.te b/policy/test_dyntrans.te
index e4110c5..73fe77d 100644
--- a/policy/test_dyntrans.te
+++ b/policy/test_dyntrans.te
@@ -23,7 +23,3 @@ typeattribute test_dyntrans_todomain_t dyntransdomain;
 
 # Allow the fromdomain to dyntrans to the new domain.
 allow test_dyntrans_fromdomain_t test_dyntrans_todomain_t:process dyntransition;
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(dyntransdomain)
-
diff --git a/policy/test_execshare.te b/policy/test_execshare.te
index 22ed09f..c127662 100644
--- a/policy/test_execshare.te
+++ b/policy/test_execshare.te
@@ -20,9 +20,6 @@ type test_execshare_notchild_t;
 testsuite_domain_type(test_execshare_notchild_t);
 typeattribute test_execshare_notchild_t execsharedomain;
 
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(execsharedomain)
-
 # Grant the necessary permissions for the child domain.
 domain_entry_file_spec_domtrans(test_execshare_parent_t, test_execshare_child_t)
 allow test_execshare_parent_t test_execshare_child_t:fd use;
diff --git a/policy/test_exectrace.te b/policy/test_exectrace.te
index 302ba80..d5b74ad 100644
--- a/policy/test_exectrace.te
+++ b/policy/test_exectrace.te
@@ -23,9 +23,6 @@ type test_exectrace_notchild_t;
 testsuite_domain_type(test_exectrace_notchild_t)
 typeattribute test_exectrace_notchild_t exectracedomain;
 
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(exectracedomain)
-
 # Grant the necessary permissions for the child domain.
 domain_entry_file_spec_domtrans(test_exectrace_parent_t, test_exectrace_child_t)
 allow test_exectrace_parent_t test_exectrace_child_t:fd use;
diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te
index 681a71d..c8840b4 100644
--- a/policy/test_extended_socket_class.te
+++ b/policy/test_extended_socket_class.te
@@ -54,6 +54,3 @@ extended_socket_class_test(alg_socket, socket)
 
 # Trigger kernel module auto-loading of the network protocol implementations.
 kernel_request_load_module(extsocktestdomain)
-
-# Entry into the test domains via the test program.
-miscfiles_domain_entry_test_files(extsocktestdomain)
diff --git a/policy/test_fdreceive.te b/policy/test_fdreceive.te
index 9987503..df9e974 100644
--- a/policy/test_fdreceive.te
+++ b/policy/test_fdreceive.te
@@ -30,9 +30,6 @@ type test_fdreceive_server_t;
 testsuite_domain_type(test_fdreceive_server_t);
 typeattribute test_fdreceive_server_t fdreceivedomain;
 
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(fdreceivedomain)
-
 # Grant the necessary permissions for the server domain.
 ## Create the Unix domain socket file.
 allow test_fdreceive_server_t test_file_t:dir rw_dir_perms;
diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te
index 264a703..fd633ae 100644
--- a/policy/test_fdreceive_bpf.te
+++ b/policy/test_fdreceive_bpf.te
@@ -48,6 +48,3 @@ allow test_fdreceive_bpf_client3_t self:process { setrlimit };
 # Server side rules:
 allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use };
 allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write };
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(fdreceivebpfdomain)
diff --git a/policy/test_file.te b/policy/test_file.te
index 9acc211..5bb0398 100644
--- a/policy/test_file.te
+++ b/policy/test_file.te
@@ -53,9 +53,6 @@ libs_use_shared_libs(fileopdomain)
 libs_exec_ld_so(fileopdomain)
 libs_exec_lib_files(fileopdomain)
 
-# Allow all of these domains to be entered from sysadm domain
-miscfiles_domain_entry_test_files(fileopdomain)
-
 corecmd_bin_entry_type(fileopdomain)
 sysadm_bin_spec_domtrans_to(fileopdomain)
 
diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
index fd06d5d..5de489c 100644
--- a/policy/test_filesystem.te
+++ b/policy/test_filesystem.te
@@ -408,8 +408,3 @@ allow test_filesystem_no_mount_t dosfs_t:filesystem { associate };
 allow test_filesystem_no_remount_t dosfs_t:filesystem { associate };
 allow test_filesystem_no_unmount_t dosfs_t:filesystem { associate };
 allow test_move_mount_no_mounton_t dosfs_t:filesystem { associate };
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(filesystemdomain)
diff --git a/policy/test_global.te b/policy/test_global.te
index 5ef3b02..667c272 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -51,8 +51,10 @@ allow testsuite_domain self:capability { dac_override dac_read_search };
 #allow sysadm_t self:process setexec;
 #selinux_get_fs_mount(sysadm_t)
 
-# Let all test domains read test directories and files.
+# Let all test domains read test directories and files and to use test
+# files as entry points.
 miscfiles_read_test_files(testsuite_domain)
+miscfiles_domain_entry_test_files(testsuite_domain)
 
 # Let the test domains set their current, exec and fscreate contexts.
 allow testsuite_domain self:process setcurrent;
diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
index a403be0..ccfea28 100644
--- a/policy/test_ibendport.te
+++ b/policy/test_ibendport.te
@@ -29,6 +29,3 @@ corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
 ')
 
 allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_subnet;
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(ibendportdomain)
diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te
index de0f5e1..863ff16 100644
--- a/policy/test_ibpkey.te
+++ b/policy/test_ibpkey.te
@@ -22,6 +22,3 @@ corenet_ib_pkey(test_ibpkey_t)
 ifdef(`corenet_ib_access_unlabeled_pkeys',`
 corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t)
 ')
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(ibpkeydomain)
diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te
index dd0e83c..5feb801 100644
--- a/policy/test_inet_socket.te
+++ b/policy/test_inet_socket.te
@@ -158,6 +158,3 @@ allow test_inet_client_t test_server_packet_t:packet { send recv };
 # Send/recv unlabeled packets.
 kernel_sendrecv_unlabeled_packets(inetsocketdomain)
 kernel_recvfrom_unlabeled_peer(inetsocketdomain)
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(inetsocketdomain)
diff --git a/policy/test_inherit.te b/policy/test_inherit.te
index 15ab8fc..da26ea3 100644
--- a/policy/test_inherit.te
+++ b/policy/test_inherit.te
@@ -31,9 +31,6 @@ type test_inherit_nowrite_t;
 testsuite_domain_type(test_inherit_nowrite_t)
 typeattribute test_inherit_nowrite_t inheritdomain;
 
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(inheritdomain)
-
 # Grant the necessary permissions for the parent domain.
 allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms;
 
diff --git a/policy/test_ioctl.te b/policy/test_ioctl.te
index 955695d..dc645f4 100644
--- a/policy/test_ioctl.te
+++ b/policy/test_ioctl.te
@@ -30,7 +30,6 @@ libs_exec_lib_files(ioctldomain)
 
 # Allow all of these domains to be entered from sysadm domain
 # via a shell script in the test directory or by....
-miscfiles_domain_entry_test_files(ioctldomain)
 corecmd_bin_entry_type(ioctldomain)
 sysadm_bin_spec_domtrans_to(ioctldomain)
 
diff --git a/policy/test_ipc.te b/policy/test_ipc.te
index f68d35c..21d997b 100644
--- a/policy/test_ipc.te
+++ b/policy/test_ipc.te
@@ -67,7 +67,6 @@ fs_rw_tmpfs_files(ipcdomain)
 
 # Allow all of these domains to be entered from user domains.
 # via a shell script in the test directory or by another program.
-miscfiles_domain_entry_test_files(ipcdomain)
 corecmd_bin_entry_type(ipcdomain)
 sysadm_bin_spec_domtrans_to(ipcdomain)
 
diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te
index 2763472..27a1545 100644
--- a/policy/test_key_socket.te
+++ b/policy/test_key_socket.te
@@ -48,10 +48,5 @@ typeattribute test_key_sock_no_read_t keysockdomain;
 allow test_key_sock_no_read_t self:capability { net_admin };
 allow test_key_sock_no_read_t self:key_socket { create write setopt };
 
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(keysockdomain)
-
 # For CONFIG_NET_KEY=m
 kernel_request_load_module(keysockdomain)
diff --git a/policy/test_keys.te b/policy/test_keys.te
index de1b46c..250950e 100644
--- a/policy/test_keys.te
+++ b/policy/test_keys.te
@@ -164,8 +164,3 @@ typeattribute test_request_keys_no_link_t keydomain;
 
 allow test_request_keys_no_link_t self:key { create write search read view link setattr };
 allow test_request_keys_no_link_t test_keyring_service_t:key { read write search view setattr };
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(keydomain)
diff --git a/policy/test_mmap.te b/policy/test_mmap.te
index eb59dbe..d0850cc 100644
--- a/policy/test_mmap.te
+++ b/policy/test_mmap.te
@@ -152,6 +152,3 @@ testsuite_domain_type(test_no_execmod_t)
 typeattribute test_no_execmod_t mmaptestdomain;
 allow test_no_execmod_t test_mmap_file_t:file { open read execute };
 allow_map(test_no_execmod_t, test_mmap_file_t, file)
-
-# Allow entrypoint via the test programs.
-miscfiles_domain_entry_test_files(mmaptestdomain)
diff --git a/policy/test_module_load.te b/policy/test_module_load.te
index 770b2dd..a856706 100644
--- a/policy/test_module_load.te
+++ b/policy/test_module_load.te
@@ -41,8 +41,3 @@ allow test_kmodule_deny_module_request_t test_file_t:system { module_load };
 allow test_kmodule_deny_module_request_t self:system { module_load };
 allow_lockdown_integrity(test_kmodule_deny_module_request_t)
 neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request };
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(kmoduledomain)
diff --git a/policy/test_mqueue.te b/policy/test_mqueue.te
index ea3fa68..65ffe6d 100644
--- a/policy/test_mqueue.te
+++ b/policy/test_mqueue.te
@@ -55,9 +55,6 @@ type mqop_mqrw_t;
 files_type(mqop_mqrw_t)
 
 
-# basic permision for all mqopdomains
-miscfiles_domain_entry_test_files(mqopdomain)
-
 corecmd_bin_entry_type(mqopdomain)
 sysadm_bin_spec_domtrans_to(mqopdomain)
 
diff --git a/policy/test_netlink_socket.te b/policy/test_netlink_socket.te
index 589e372..b6d39c2 100644
--- a/policy/test_netlink_socket.te
+++ b/policy/test_netlink_socket.te
@@ -41,8 +41,5 @@ netlink_socket_test(netlink_crypto_socket)
 # Common rules for all netlink socket class test domains.
 #
 
-# Entry into the test domains via the test program.
-miscfiles_domain_entry_test_files(netlinksocktestdomain)
-
 # Trigger kernel module auto-loading of the protocol implementations.
 kernel_request_load_module(netlinksocktestdomain)
diff --git a/policy/test_notify.te b/policy/test_notify.te
index 4ffd287..fe60274 100644
--- a/policy/test_notify.te
+++ b/policy/test_notify.te
@@ -73,5 +73,3 @@ testsuite_domain_type(test_rdonly_t)
 typeattribute test_rdonly_t test_notify_domain;
 
 allow test_rdonly_t test_notify_file_t:dir { read open watch };
-
-miscfiles_domain_entry_test_files(test_notify_domain)
diff --git a/policy/test_open.te b/policy/test_open.te
index 0d662f0..f01a5fe 100644
--- a/policy/test_open.te
+++ b/policy/test_open.te
@@ -28,6 +28,3 @@ type test_append_t;
 testsuite_domain_type(test_append_t)
 typeattribute test_append_t test_open_domain;
 allow test_append_t test_open_file_t:file append_file_perms;
-
-# Allow all of these domains to be entered from sysadm domain
-miscfiles_domain_entry_test_files(test_open_domain)
diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
index 8a914ff..5db46cd 100644
--- a/policy/test_perf_event.te
+++ b/policy/test_perf_event.te
@@ -70,8 +70,3 @@ typeattribute test_perf_no_write_t perfdomain;
 allow test_perf_no_write_t self:capability2 { perfmon };
 allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read };
 allow_lockdown_confidentiality(test_perf_no_write_t)
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(perfdomain)
diff --git a/policy/test_prlimit.te b/policy/test_prlimit.te
index 4b6a5c8..b0314f3 100644
--- a/policy/test_prlimit.te
+++ b/policy/test_prlimit.te
@@ -36,10 +36,3 @@ spec_domtrans_pattern(test_no_$1_t, test_file_t, test_$1_child_t)
 
 prlimit_test(setrlimit)
 prlimit_test(getrlimit)
-
-#
-# Common rules for all prlimit test domains.
-#
-
-# Entry into the test domains via the test program.
-miscfiles_domain_entry_test_files(prlimittestdomain)
diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te
index f327cc5..8c1d71c 100644
--- a/policy/test_ptrace.te
+++ b/policy/test_ptrace.te
@@ -33,10 +33,6 @@ userdom_search_user_home_dirs(test_ptrace_traced_t)
 # Let the tracer wait on the traced domain.
 allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;
 
-# Allow all of these domains to be entered from the sysadm domains.
-# via a program in the test directory.
-miscfiles_domain_entry_test_files(ptracedomain)
-
 # Allow execution of helper programs.
 corecmd_exec_bin(ptracedomain)
 domain_exec_all_entry_files(ptracedomain)
diff --git a/policy/test_sctp.te b/policy/test_sctp.te
index 7b24b8c..e276153 100644
--- a/policy/test_sctp.te
+++ b/policy/test_sctp.te
@@ -229,8 +229,3 @@ allow sctpsocketdomain proc_net_t:file { read };
 allow sctpsocketdomain sysctl_net_t:dir { search };
 allow sctpsocketdomain self:udp_socket { create };
 allow sctpsocketdomain self:unix_dgram_socket { create ioctl };
-
-#
-############ Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(sctpsocketdomain)
diff --git a/policy/test_setnice.te b/policy/test_setnice.te
index 34a2e73..2c34643 100644
--- a/policy/test_setnice.te
+++ b/policy/test_setnice.te
@@ -31,7 +31,6 @@ libs_exec_lib_files(setnicedomain)
 
 # Allow all of these domains to be entered from sysadm domain
 # via a shell script in the test directory or by....
-miscfiles_domain_entry_test_files(setnicedomain)
 domain_transition_pattern(sysadm_t, test_file_t, setnicedomain)
 domain_transition_pattern(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t})
 allow test_setnice_change_t test_setnice_set_t:fd use;
diff --git a/policy/test_sigkill.te b/policy/test_sigkill.te
index 04bed89..1aaa0af 100644
--- a/policy/test_sigkill.te
+++ b/policy/test_sigkill.te
@@ -40,7 +40,6 @@ allow test_kill_signal_t test_kill_server_t:process signal;
 
 # Allow all of these domains to be entered from the sysadm domains,
 # via kill or a program in the test directory.
-miscfiles_domain_entry_test_files(killdomain)
 corecmd_bin_entry_type(killdomain)
 sysadm_bin_spec_domtrans_to(killdomain)
 
diff --git a/policy/test_task_create.te b/policy/test_task_create.te
index 54acb50..b90b2e3 100644
--- a/policy/test_task_create.te
+++ b/policy/test_task_create.te
@@ -20,8 +20,3 @@ type test_create_no_t;
 # as it makes the permission effectively unusable in real policy.
 testsuite_domain_type_minimal(test_create_no_t)
 typeattribute test_create_no_t test_create_d;
-
-# General rules for the test_create_d
-
-# Allow domain to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(test_create_d)
diff --git a/policy/test_task_getpgid.te b/policy/test_task_getpgid.te
index dad584e..4c499f7 100644
--- a/policy/test_task_getpgid.te
+++ b/policy/test_task_getpgid.te
@@ -24,8 +24,5 @@ type test_getpgid_no_t;
 testsuite_domain_type(test_getpgid_no_t)
 typeattribute test_getpgid_no_t test_getpgid_d;
 
-# Allow domain to be entered from the sysadm domain
-miscfiles_domain_entry_test_files(test_getpgid_d)
-
 # Give test_getpgid_yes_t the permission needed.
 allow test_getpgid_yes_t test_getpgid_target_t:process getpgid;
diff --git a/policy/test_task_getsched.te b/policy/test_task_getsched.te
index f541d58..98b267f 100644
--- a/policy/test_task_getsched.te
+++ b/policy/test_task_getsched.te
@@ -24,8 +24,5 @@ type test_getsched_no_t;
 testsuite_domain_type(test_getsched_no_t)
 typeattribute test_getsched_no_t test_getsched_d;
 
-# Allow domain to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(test_getsched_d)
-
 # Give test_getsched_yes_t the permission needed.
 allow test_getsched_yes_t test_getsched_target_t:process getsched;
diff --git a/policy/test_task_getsid.te b/policy/test_task_getsid.te
index 8c21d9a..b53d454 100644
--- a/policy/test_task_getsid.te
+++ b/policy/test_task_getsid.te
@@ -24,8 +24,5 @@ type test_getsid_no_t;
 testsuite_domain_type(test_getsid_no_t)
 typeattribute test_getsid_no_t test_getsid_d;
 
-# Allow domain to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(test_getsid_d)
-
 # Give test_getsid_yes_t the permission needed.
 allow test_getsid_yes_t test_getsid_target_t:process getsession;
diff --git a/policy/test_task_setpgid.te b/policy/test_task_setpgid.te
index 25e06d4..bb8afa7 100644
--- a/policy/test_task_setpgid.te
+++ b/policy/test_task_setpgid.te
@@ -15,6 +15,3 @@ typeattribute test_setpgid_yes_t test_setpgid_d;
 type test_setpgid_no_t;
 testsuite_domain_type_minimal(test_setpgid_no_t)
 typeattribute test_setpgid_no_t test_setpgid_d;
-
-# Allow domain to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(test_setpgid_d)
diff --git a/policy/test_task_setsched.te b/policy/test_task_setsched.te
index 432135e..3e75cf6 100644
--- a/policy/test_task_setsched.te
+++ b/policy/test_task_setsched.te
@@ -26,9 +26,6 @@ type test_setsched_no_t;
 testsuite_domain_type(test_setsched_no_t)
 typeattribute test_setsched_no_t test_setsched_d;
 
-# Allow domain to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(test_setsched_d)
-
 # Allow these domains to execute renice.
 corecmd_bin_entry_type(test_setsched_d)
 
diff --git a/policy/test_tun_tap.te b/policy/test_tun_tap.te
index e1aef8d..28efc10 100644
--- a/policy/test_tun_tap.te
+++ b/policy/test_tun_tap.te
@@ -91,8 +91,3 @@ allow test_newcon_no_from_tun_tap_t self:tun_socket { relabelto };
 # For switch back on error:
 allow test_tun_tap_t test_newcon_no_from_tun_tap_t:fd { use };
 allow test_newcon_no_from_tun_tap_t test_tun_tap_t:process { dyntransition };
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(tuntapdomain)
diff --git a/policy/test_unix_socket.te b/policy/test_unix_socket.te
index 69720f0..f4e9e41 100644
--- a/policy/test_unix_socket.te
+++ b/policy/test_unix_socket.te
@@ -58,6 +58,3 @@ allow test_unix_server_t test_unix_dgram_client_t:unix_dgram_socket sendto;
 type test_socketpair_t;
 testsuite_domain_type(test_socketpair_t)
 typeattribute test_socketpair_t unixsocketdomain;
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(unixsocketdomain)
diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
index 5cb7d1c..f5a6613 100644
--- a/policy/test_userfaultfd.te
+++ b/policy/test_userfaultfd.te
@@ -45,6 +45,3 @@ userfaultfd_domain_type(test_noread_uffd_t)
 
 # userfaultfd(2) requires CAP_SYS_PTRACE
 allow test_uffd_domain self:capability { sys_ptrace };
-
-# Allow all of these domains to be executed
-miscfiles_domain_entry_test_files(test_uffd_domain)
diff --git a/policy/test_vsock_socket.te b/policy/test_vsock_socket.te
index 4bb989a..dbd47f4 100644
--- a/policy/test_vsock_socket.te
+++ b/policy/test_vsock_socket.te
@@ -42,6 +42,3 @@ vsock_client(noread, connect create getattr getopt setopt shutdown write)
 vsock_client(nogetattr, connect create getopt setopt read shutdown write)
 vsock_client(nogetopt, connect create getattr setopt read shutdown write)
 vsock_client(nosetopt, connect create getattr getopt read shutdown write)
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(vsocksocketdomain)
diff --git a/policy/test_watchkey.te b/policy/test_watchkey.te
index 101d68a..a85bd20 100644
--- a/policy/test_watchkey.te
+++ b/policy/test_watchkey.te
@@ -15,8 +15,3 @@ allow test_watchkey_t self:key { view };
 type test_watchkey_no_view_t;
 testsuite_domain_type(test_watchkey_no_view_t)
 typeattribute test_watchkey_no_view_t watchkeydomain;
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(watchkeydomain)
-- 
2.37.1

[PATCH testsuite 10/24] policy: substitute userdom_sysadm_entry_spec_domtrans_to()

[Ondrej Mosnacek]

Use sysadm_entry_spec_domtrans_to() which is the actual name of the
interface in Fedora policy and refpolicy now.
userdom_sysadm_entry_spec_domtrans_to() has been deprecated.

sysadm_entry_spec_domtrans_to() is available even as far back as RHEL-6
and also in refpolicy, so remove the whole fallback implementation.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_global.te |  2 +-
 policy/test_policy.if | 13 -------------
 2 files changed, 1 insertion(+), 14 deletions(-)

diff --git a/policy/test_global.te b/policy/test_global.te
index 667c272..aceac48 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -41,7 +41,7 @@ allow testsuite_domain init_t:fd use;
 allow testsuite_domain initrc_t:fd use;
 
 # Allow the test domain to be entered from sysadm_t
-userdom_sysadm_entry_spec_domtrans_to(testsuite_domain)
+sysadm_entry_spec_domtrans_to(testsuite_domain)
 
 # Allow the test domains to access the test directory and files
 # even if they are not root owned.
diff --git a/policy/test_policy.if b/policy/test_policy.if
index 6cef8dd..89ab6f7 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -17,19 +17,6 @@
 ## </desc>
 #
 
-ifdef(`userdom_sysadm_entry_spec_domtrans_to',`', ` dnl
-interface(`userdom_sysadm_entry_spec_domtrans_to',`
-        gen_require(`
-                type sysadm_t;
-	')
-
-        domain_entry_file_spec_domtrans(sysadm_t, $1)
-        allow $1 sysadm_t:fd use;
-        allow $1 sysadm_t:fifo_file rw_file_perms;
-        allow $1 sysadm_t:process sigchld;
-')
-')
-
 interface(`testsuite_domain_type_common',`
 	gen_require(`
 		attribute testsuite_domain;
-- 
2.37.1

[PATCH testsuite 11/24] test_general.te: move sysadm-related rules into an optional block

[Ondrej Mosnacek]

That should allow running selinux-testsuite with the sysadm module
disabled.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_global.te | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/policy/test_global.te b/policy/test_global.te
index aceac48..3862ee7 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -25,12 +25,21 @@ optional_policy(`
 	dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh };
 ')
 
-gen_require(`
-	role sysadm_r;
-')
+optional_policy(`
+	gen_require(`
+		role sysadm_r;
+	')
+
+	# Authorize sysadm_r for the test domains.
+	role sysadm_r types testsuite_domain;
 
-# Authorize sysadm_r for the test domains.
-role sysadm_r types testsuite_domain;
+	# Allow the test domain to be entered from sysadm_t
+	sysadm_entry_spec_domtrans_to(testsuite_domain)
+
+	# Let sysadm_t use runcon to run the test programs in various domains.
+	#allow sysadm_t self:process setexec;
+	#selinux_get_fs_mount(sysadm_t)
+')
 
 # Allow the test domains to access the sysadm terminal.
 # This allows read and write sysadm ttys and ptys.
@@ -40,17 +49,10 @@ term_use_all_terms(testsuite_domain)
 allow testsuite_domain init_t:fd use;
 allow testsuite_domain initrc_t:fd use;
 
-# Allow the test domain to be entered from sysadm_t
-sysadm_entry_spec_domtrans_to(testsuite_domain)
-
 # Allow the test domains to access the test directory and files
 # even if they are not root owned.
 allow testsuite_domain self:capability { dac_override dac_read_search };
 
-# Let sysadm_t use runcon to run the test programs in various domains.
-#allow sysadm_t self:process setexec;
-#selinux_get_fs_mount(sysadm_t)
-
 # Let all test domains read test directories and files and to use test
 # files as entry points.
 miscfiles_read_test_files(testsuite_domain)
-- 
2.37.1

[PATCH testsuite 12/24] test_filesystem.te: remove redundant dontaudit rules

[Ondrej Mosnacek]

These accesses should already be allowed to unconfined_t via
files_type().

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_filesystem.te            | 2 --
 policy/test_filesystem_name_trans.te | 4 +---
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
index 5de489c..4942e0d 100644
--- a/policy/test_filesystem.te
+++ b/policy/test_filesystem.te
@@ -57,7 +57,6 @@ allow test_filesystem_t test_filesystem_filecon_t:file { open read getattr relab
 fs_associate(test_filesystem_filetranscon_t)
 type_transition test_filesystem_t test_filesystem_file_t:file test_filesystem_filetranscon_t;
 allow test_filesystem_t test_filesystem_filetranscon_t:file { create getattr open write relabelfrom };
-dontaudit unconfined_t test_filesystem_filetranscon_t:file { getattr read };
 
 # For NFS
 type_transition test_filesystem_t test_file_t:file test_filesystem_filetranscon_t;
@@ -268,7 +267,6 @@ fs_associate(test_filesystem_inode_setxattr_no_associate_t)
 # Create test file
 allow test_filesystem_inode_setxattr_no_associate_t self:file { create relabelfrom relabelto };
 # neverallow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem { associate };
-dontaudit unconfined_t test_filesystem_filecon_t:file { getattr read };
 allow test_filesystem_inode_setxattr_no_associate_t unconfined_t:dir { add_name write };
 allow test_filesystem_inode_setxattr_no_associate_t unconfined_t:file { create relabelfrom relabelto };
 
diff --git a/policy/test_filesystem_name_trans.te b/policy/test_filesystem_name_trans.te
index 7e336e4..9956c07 100644
--- a/policy/test_filesystem_name_trans.te
+++ b/policy/test_filesystem_name_trans.te
@@ -12,12 +12,10 @@ files_type(test_filesystem_filenametranscon2_t)
 fs_associate(test_filesystem_filenametranscon1_t)
 type_transition test_filesystem_t test_filesystem_file_t:file test_filesystem_filenametranscon1_t "name_trans_test_file1";
 allow test_filesystem_t test_filesystem_filenametranscon1_t:file { create getattr open write };
-dontaudit unconfined_t test_filesystem_filenametranscon1_t:file { getattr read };
-#
+
 fs_associate(test_filesystem_filenametranscon2_t)
 type_transition test_filesystem_t test_filesystem_file_t:file test_filesystem_filenametranscon2_t "name_trans_test_file2";
 allow test_filesystem_t test_filesystem_filenametranscon2_t:file { create getattr open write };
-dontaudit unconfined_t test_filesystem_filenametranscon2_t:file { getattr read };
 
 ### NFS Rules ##########
 type_transition test_filesystem_t test_file_t:file test_filesystem_filenametranscon1_t "name_trans_test_file1";
-- 
2.37.1

[PATCH testsuite 13/24] test_filesystem.te: remove suspicious rules

[Ondrej Mosnacek]

These don't seem to make sense. Get rid of them.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_filesystem.te | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
index 4942e0d..d8c5c51 100644
--- a/policy/test_filesystem.te
+++ b/policy/test_filesystem.te
@@ -126,7 +126,6 @@ fs_getattr_xattr_fs(test_filesystem_may_create_no_associate_t)
 # Create test file
 # neverallow unlabeled_t test_filesystem_may_create_no_associate_t:filesystem { associate };
 allow test_filesystem_may_create_no_associate_t self:file { create relabelfrom relabelto };
-allow test_filesystem_may_create_no_associate_t unconfined_t:file { open read write };
 allow test_filesystem_may_create_no_associate_t unlabeled_t:dir { add_name search write };
 allow test_filesystem_may_create_no_associate_t unlabeled_t:file { create open relabelfrom write };
 
@@ -266,9 +265,6 @@ fs_associate(test_filesystem_inode_setxattr_no_associate_t)
 
 # Create test file
 allow test_filesystem_inode_setxattr_no_associate_t self:file { create relabelfrom relabelto };
-# neverallow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem { associate };
-allow test_filesystem_inode_setxattr_no_associate_t unconfined_t:dir { add_name write };
-allow test_filesystem_inode_setxattr_no_associate_t unconfined_t:file { create relabelfrom relabelto };
 
 ################# Test process { setfscreate } #############
 type test_setfscreatecon_t;
@@ -357,7 +353,6 @@ allow test_filesystem_sb_relabel_no_relabelfrom_t self:filesystem { mount relabe
 allow test_filesystem_sb_relabel_no_relabelfrom_t self:filesystem { mount };
 
 allow test_filesystem_may_create_no_associate_t nfs_t:filesystem { associate };
-allow test_filesystem_may_create_no_associate_t unconfined_t:file { getattr relabelto };
 allow test_filesystem_may_create_no_associate_t test_file_t:dir { add_name };
 allow test_filesystem_may_create_no_associate_t test_file_t:file { create write relabelfrom };
 allow test_filesystem_may_create_no_associate_t test_filesystem_file_t:filesystem { mount unmount relabelto };
@@ -365,7 +360,6 @@ allow test_file_t test_filesystem_may_create_no_associate_t:filesystem { associa
 allow unconfined_t test_filesystem_may_create_no_associate_t:filesystem { getattr mount relabelto unmount };
 # neverallow unconfined_t test_filesystem_may_create_no_associate_t:filesystem { associate };
 
-allow test_filesystem_inode_setxattr_no_associate_t unconfined_t:file { getattr open read write };
 allow test_filesystem_inode_setxattr_no_associate_t nfs_t:filesystem { associate };
 allow test_filesystem_inode_setxattr_no_associate_t test_file_t:dir { add_name };
 allow test_filesystem_inode_setxattr_no_associate_t test_file_t:file { create relabelfrom write };
-- 
2.37.1

[PATCH testsuite 14/24] tests/nnp_nosuid: avoid hardcoding unconfined_t in the policy

[Ondrej Mosnacek]

Add an intermediate domain which is entered first to avoid the need to
reference the calling domain in the policy.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_nnp_nosuid.te | 26 +++++++++++++---------
 tests/nnp_nosuid/test     | 45 +++++++++++++++++++++++----------------
 2 files changed, 43 insertions(+), 28 deletions(-)

diff --git a/policy/test_nnp_nosuid.te b/policy/test_nnp_nosuid.te
index ad5f742..8d5a1c6 100644
--- a/policy/test_nnp_nosuid.te
+++ b/policy/test_nnp_nosuid.te
@@ -3,19 +3,25 @@
 # Policy for testing NO_NEW_PRIVS and nosuid transitions.
 #
 
+# An intermediate domain to avoid referencing the caller domain.
+type test_intermediate_t;
+testsuite_domain_type(test_intermediate_t)
+# executes runcon
+corecmd_exec_bin(test_intermediate_t)
+
 # A domain bounded by the unconfined domain.
 type test_bounded_t;
 testsuite_domain_type(test_bounded_t)
-typebounds unconfined_t test_bounded_t;
+typebounds test_intermediate_t test_bounded_t;
 
 # The entrypoint type for this domain.
 type test_bounded_exec_t;
 files_type(test_bounded_exec_t)
 domain_entry_file(test_bounded_t, test_bounded_exec_t)
-domain_entry_file(unconfined_t, test_bounded_exec_t)
+domain_entry_file(test_intermediate_t, test_bounded_exec_t)
 
 # Run it!  This should succeed on v3.18 or later, fail on older kernels.
-unconfined_run_to(test_bounded_t, test_bounded_exec_t)
+domtrans_pattern(test_intermediate_t, test_bounded_exec_t, test_bounded_t)
 
 # A domain that is not bounded by the unconfined domain.
 type test_notbounded_t;
@@ -27,7 +33,7 @@ files_type(test_notbounded_exec_t)
 domain_entry_file(test_notbounded_t, test_notbounded_exec_t)
 
 # Run it!  This should fail always.
-unconfined_run_to(test_notbounded_t, test_notbounded_exec_t)
+domtrans_pattern(test_intermediate_t, test_notbounded_exec_t, test_notbounded_t)
 
 # A domain to which the unconfined domain is allowed nnp_transition.
 type test_nnptransition_t;
@@ -39,9 +45,9 @@ files_type(test_nnptransition_exec_t)
 domain_entry_file(test_nnptransition_t, test_nnptransition_exec_t)
 
 # Run it!  This should succeed on v4.14 or later.
-unconfined_run_to(test_nnptransition_t, test_nnptransition_exec_t)
+domtrans_pattern(test_intermediate_t, test_nnptransition_exec_t, test_nnptransition_t)
 ifdef(`nnp_nosuid_transition_permission_defined', `
-allow unconfined_t test_nnptransition_t:process2 nnp_transition;
+allow test_intermediate_t test_nnptransition_t:process2 nnp_transition;
 ')
 
 # A domain to which the unconfined domain is allowed nosuid_transition.
@@ -54,9 +60,9 @@ files_type(test_nosuidtransition_exec_t)
 domain_entry_file(test_nosuidtransition_t, test_nosuidtransition_exec_t)
 
 # Run it!  This should succeed on v4.14 or later.
-unconfined_run_to(test_nosuidtransition_t, test_nosuidtransition_exec_t)
+domtrans_pattern(test_intermediate_t, test_nosuidtransition_exec_t, test_nosuidtransition_t)
 ifdef(`nnp_nosuid_transition_permission_defined', `
-allow unconfined_t test_nosuidtransition_t:process2 nosuid_transition;
+allow test_intermediate_t test_nosuidtransition_t:process2 nosuid_transition;
 ')
 
 # A domain to which the unconfined domain is allowed both nosuid_transition and nnp_transition.
@@ -69,7 +75,7 @@ files_type(test_nosuidtransition_exec_t)
 domain_entry_file(test_nnpnosuidtransition_t, test_nnpnosuidtransition_exec_t)
 
 # Run it!  This should succeed on v4.14 or later.
-unconfined_run_to(test_nnpnosuidtransition_t, test_nnpnosuidtransition_exec_t)
+domtrans_pattern(test_intermediate_t, test_nnpnosuidtransition_exec_t, test_nnpnosuidtransition_t)
 ifdef(`nnp_nosuid_transition_permission_defined', `
-allow unconfined_t test_nnpnosuidtransition_t:process2 { nnp_transition nosuid_transition };
+allow test_intermediate_t test_nnpnosuidtransition_t:process2 { nnp_transition nosuid_transition };
 ')
diff --git a/tests/nnp_nosuid/test b/tests/nnp_nosuid/test
index 4e13927..bebe575 100755
--- a/tests/nnp_nosuid/test
+++ b/tests/nnp_nosuid/test
@@ -31,31 +31,36 @@ system("chcon -t test_bounded_exec_t $basedir/checkcon");
 # Create nosuid mount.
 system("mkdir -p $basedir/testdir");
 system("mount -t tmpfs -o nosuid none $basedir/testdir");
+system("chcon -t test_file_t $basedir/testdir");
 
 # Set entrypoint type for bounded domain under nosuid.
 system("cp $basedir/checkcon $basedir/testdir");
 system("chcon -t test_bounded_exec_t $basedir/testdir/checkcon");
 
+# Run everything from test_intermediate_t (to simplify the policy)
+$run = "runcon -t test_intermediate_t --";
+
 # Transition under NNP to bounded type via setexec.
 $result = system(
-"$basedir/execnnp -n -- runcon -t test_bounded_t $basedir/checkcon test_bounded_t 2>&1"
+"$run $basedir/execnnp -n -- runcon -t test_bounded_t $basedir/checkcon test_bounded_t 2>&1"
 );
 ok( $result, 0 );    #this should pass
 
 # Transition on nosuid to bounded type via setexec.
 $result = system(
-"$basedir/execnnp -- runcon -t test_bounded_t $basedir/testdir/checkcon test_bounded_t 2>&1"
+"$run $basedir/execnnp -- runcon -t test_bounded_t $basedir/testdir/checkcon test_bounded_t 2>&1"
 );
 ok( $result, 0 );    #this should pass
 
 # Automatic transition under NNP to bounded domain via exec.
 $result =
-  system("$basedir/execnnp -n -- $basedir/checkcon test_bounded_t 2>&1");
+  system("$run $basedir/execnnp -n -- $basedir/checkcon test_bounded_t 2>&1");
 ok( $result, 0 );    #this should pass
 
 # Automatic transition on nosuid to bounded domain via exec.
 $result =
-  system("$basedir/execnnp -- $basedir/testdir/checkcon test_bounded_t 2>&1");
+  system(
+    "$run $basedir/execnnp -- $basedir/testdir/checkcon test_bounded_t 2>&1");
 ok( $result, 0 );    #this should pass
 
 # Use true as an entrypoint program to test ability to exec at all.
@@ -71,25 +76,28 @@ system(
 # Transition under NNP to notbounded domain via setexec.
 $result =
   system(
-    "$basedir/execnnp -n -- runcon -t test_notbounded_t $basedir/true 2>&1");
+    "$run $basedir/execnnp -n -- runcon -t test_notbounded_t $basedir/true 2>&1"
+  );
 ok($result);    #this should fail
 
 # Transition on nosuid to notbounded domain via setexec.
 $result =
   system(
-    "$basedir/execnnp -- runcon -t test_notbounded_t $basedir/testdir/true 2>&1"
+"$run $basedir/execnnp -- runcon -t test_notbounded_t $basedir/testdir/true 2>&1"
   );
 ok($result);    #this should fail
 
 # Automatic transition under NNP to notbounded domain via exec.
 $result =
-  system("$basedir/execnnp -n -- $basedir/checkcon test_notbounded_t 2>&1");
+  system(
+    "$run $basedir/execnnp -n -- $basedir/checkcon test_notbounded_t 2>&1");
 ok($result);    #this should fail
 
 # Automatic transition on nosuid to notbounded domain via exec.
 $result =
   system(
-    "$basedir/execnnp -- $basedir/testdir/checkcon test_notbounded_t 2>&1");
+    "$run $basedir/execnnp -- $basedir/testdir/checkcon test_notbounded_t 2>&1"
+  );
 ok($result);    #this should fail
 
 if ($test_nnp_nosuid_transition) {
@@ -104,27 +112,28 @@ if ($test_nnp_nosuid_transition) {
     # Transition under NNP to nnptransition domain via setexec.
     $result =
       system(
-"$basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/true 2>&1"
+"$run $basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/true 2>&1"
       );
     ok( $result, 0 );    #this should succeed
 
     # Transition under NNP+nosuid to nnptransition domain via setexec.
     $result =
       system(
-"$basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/testdir/true 2>&1"
+"$run $basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/testdir/true 2>&1"
       );
     ok($result);         #this should fail
 
     # Automatic transition under NNP to nnptransition domain via exec.
     $result =
       system(
-        "$basedir/execnnp -n -- $basedir/checkcon test_nnptransition_t 2>&1");
+"$run $basedir/execnnp -n -- $basedir/checkcon test_nnptransition_t 2>&1"
+      );
     ok( $result, 0 );    #this should succeed
 
     # Automatic transition under NNP+nosuid to nnptransition domain via exec.
     $result =
       system(
-"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nnptransition_t 2>&1"
+"$run $basedir/execnnp -n -- $basedir/testdir/checkcon test_nnptransition_t 2>&1"
       );
     ok($result);         #this should fail
 
@@ -136,28 +145,28 @@ if ($test_nnp_nosuid_transition) {
     # Transition under nosuid to nosuidtransition domain via setexec.
     $result =
       system(
-"$basedir/execnnp -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1"
+"$run $basedir/execnnp -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1"
       );
     ok( $result, 0 );    #this should succeed
 
     # Transition under NNP+nosuid to nosuidtransition domain via setexec.
     $result =
       system(
-"$basedir/execnnp -n -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1"
+"$run $basedir/execnnp -n -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1"
       );
     ok($result);         #this should fail
 
     # Automatic transition under nosuid to nosuidtransition domain via exec.
     $result =
       system(
-"$basedir/execnnp -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1"
+"$run $basedir/execnnp -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1"
       );
     ok( $result, 0 );    #this should succeed
 
     # Automatic transition under NNP+nosuid to nosuidtransition domain via exec.
     $result =
       system(
-"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1"
+"$run $basedir/execnnp -n -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1"
       );
     ok($result);         #this should fail
 
@@ -169,14 +178,14 @@ if ($test_nnp_nosuid_transition) {
     # Transition under NNP+nosuid to nnpnosuidtransition domain via setexec.
     $result =
       system(
-"$basedir/execnnp -n -- runcon -t test_nnpnosuidtransition_t $basedir/testdir/true 2>&1"
+"$run $basedir/execnnp -n -- runcon -t test_nnpnosuidtransition_t $basedir/testdir/true 2>&1"
       );
     ok( $result, 0 );    #this should succeed
 
  # Automatic transition under NNP+nosuid to nnpnosuidtransition domain via exec.
     $result =
       system(
-"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nnpnosuidtransition_t 2>&1"
+"$run $basedir/execnnp -n -- $basedir/testdir/checkcon test_nnpnosuidtransition_t 2>&1"
       );
     ok( $result, 0 );    #this should succeed
 }
-- 
2.37.1

[PATCH testsuite 15/24] tests/*filesystem: remove weird uses of unconfined_t

[Ondrej Mosnacek]

It seems more logical to drop the associate permission for test_file_t
from the *_no_associate_t domains and use test_file_t in the tests
instead of unconfined_t. This also fixes the tests as they weren't
testing the associate permission (as the comments say), but in fact they
were failing on the lack of relabelto unconfined_t permission instead.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_filesystem.te | 8 ++------
 tests/filesystem/test     | 4 ++--
 tests/fs_filesystem/test  | 4 ++--
 tests/nfs_filesystem/test | 4 ++--
 4 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
index d8c5c51..59eac2b 100644
--- a/policy/test_filesystem.te
+++ b/policy/test_filesystem.te
@@ -356,16 +356,12 @@ allow test_filesystem_may_create_no_associate_t nfs_t:filesystem { associate };
 allow test_filesystem_may_create_no_associate_t test_file_t:dir { add_name };
 allow test_filesystem_may_create_no_associate_t test_file_t:file { create write relabelfrom };
 allow test_filesystem_may_create_no_associate_t test_filesystem_file_t:filesystem { mount unmount relabelto };
-allow test_file_t test_filesystem_may_create_no_associate_t:filesystem { associate };
-allow unconfined_t test_filesystem_may_create_no_associate_t:filesystem { getattr mount relabelto unmount };
-# neverallow unconfined_t test_filesystem_may_create_no_associate_t:filesystem { associate };
+# neverallow test_file_t test_filesystem_may_create_no_associate_t:filesystem { associate };
 
 allow test_filesystem_inode_setxattr_no_associate_t nfs_t:filesystem { associate };
 allow test_filesystem_inode_setxattr_no_associate_t test_file_t:dir { add_name };
 allow test_filesystem_inode_setxattr_no_associate_t test_file_t:file { create relabelfrom write };
-allow test_file_t test_filesystem_inode_setxattr_no_associate_t:filesystem { associate };
-allow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem { getattr mount relabelfrom relabelto unmount };
-# neverallow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem { associate };
+# neverallow test_file_t test_filesystem_inode_setxattr_no_associate_t:filesystem { associate };
 
 #
 ############### Rules for NFS mount ##################
diff --git a/tests/filesystem/test b/tests/filesystem/test
index c94deda..382923a 100755
--- a/tests/filesystem/test
+++ b/tests/filesystem/test
@@ -476,7 +476,7 @@ if ( not $nfs_enabled and not $vfat_enabled ) {
 
     print "Creating test file $basedir/mntpoint/mp1/test_file\n";
     $result = system(
-"runcon -t test_filesystem_may_create_no_associate_t $basedir/create_file_change_context -t unconfined_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
+"runcon -t test_filesystem_may_create_no_associate_t $basedir/create_file_change_context -t test_file_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
     );
     ok( $result >> 8 eq 13 );    # EACCES
 
@@ -783,7 +783,7 @@ if ( not $nfs_enabled and not $vfat_enabled ) {
     ok( $result eq 0 );
 
     $result = system(
-"runcon -t test_filesystem_inode_setxattr_no_associate_t $basedir/create_file_change_context -t unconfined_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
+"runcon -t test_filesystem_inode_setxattr_no_associate_t $basedir/create_file_change_context -t test_file_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
     );
     ok( $result >> 8 eq 13 );    # EACCES
 
diff --git a/tests/fs_filesystem/test b/tests/fs_filesystem/test
index e706e42..9917c41 100755
--- a/tests/fs_filesystem/test
+++ b/tests/fs_filesystem/test
@@ -504,7 +504,7 @@ if ( not $nfs_enabled and not $vfat_enabled ) {
 
     print "Creating test file $basedir/mntpoint/mp1/test_file\n";
     $result = system(
-"runcon -t test_filesystem_may_create_no_associate_t $filesystem_dir/create_file_change_context -t unconfined_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
+"runcon -t test_filesystem_may_create_no_associate_t $filesystem_dir/create_file_change_context -t test_file_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
     );
     ok( $result >> 8 eq 13 );    # EACCES
 
@@ -813,7 +813,7 @@ if ( not $nfs_enabled and not $vfat_enabled ) {
     ok( $result eq 0 );
 
     $result = system(
-"runcon -t test_filesystem_inode_setxattr_no_associate_t $filesystem_dir/create_file_change_context -t unconfined_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
+"runcon -t test_filesystem_inode_setxattr_no_associate_t $filesystem_dir/create_file_change_context -t test_file_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
     );
     ok( $result >> 8 eq 13 );    # EACCES
 
diff --git a/tests/nfs_filesystem/test b/tests/nfs_filesystem/test
index e43da67..fc8d525 100755
--- a/tests/nfs_filesystem/test
+++ b/tests/nfs_filesystem/test
@@ -240,7 +240,7 @@ while ( $i < 2 ) {
     ok( $result eq 0, $test_msg );
 
     $result = system(
-"runcon -t test_filesystem_may_create_no_associate_t $filesystem_dir/create_file_change_context $v -t unconfined_t -f $target/tests/nfs_filesystem/mntpoint/mp1/test_file 2>&1"
+"runcon -t test_filesystem_may_create_no_associate_t $filesystem_dir/create_file_change_context $v -t test_file_t -f $target/tests/nfs_filesystem/mntpoint/mp1/test_file 2>&1"
     );
     ok( $result >> 8 eq 13, $test_msg );    # EACCES
 
@@ -264,7 +264,7 @@ while ( $i < 2 ) {
     ok( $result eq 0, $test_msg );
 
     $result = system(
-"runcon -t test_filesystem_inode_setxattr_no_associate_t $filesystem_dir/create_file_change_context $v -t unconfined_t -f $target/tests/nfs_filesystem/mntpoint/mp1/test_file 2>&1"
+"runcon -t test_filesystem_inode_setxattr_no_associate_t $filesystem_dir/create_file_change_context $v -t test_file_t -f $target/tests/nfs_filesystem/mntpoint/mp1/test_file 2>&1"
     );
     ok( $result >> 8 eq 13, $test_msg );    # EACCES
 
-- 
2.37.1

[PATCH testsuite 16/24] policy: remove last hardcoded references to unconfined_t

[Ondrej Mosnacek]

Replace them with generic common interfaces.

For sysdadm_t we need to allow certain stuff also to ifconfig_t and
iptables_t domains due to type transitions.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_global.te      | 24 ++++++++++++++++++++++++
 policy/test_inet_socket.te |  8 ++------
 policy/test_policy.if      | 16 ++++++++++++++++
 policy/test_sctp.te        |  2 +-
 4 files changed, 43 insertions(+), 7 deletions(-)

diff --git a/policy/test_global.te b/policy/test_global.te
index 3862ee7..3536fbb 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -7,6 +7,9 @@ policy_module(test_policy,1.0.0)
 #
 
 attribute testsuite_domain;
+attribute testsuite_caller_domain;
+attribute testsuite_caller_ifconfig_domain;
+attribute testsuite_caller_iptables_domain;
 
 optional_policy(`
 	gen_require(`
@@ -14,6 +17,10 @@ optional_policy(`
 		role unconfined_r;
 	')
 
+	typeattribute unconfined_t testsuite_caller_domain;
+	typeattribute unconfined_t testsuite_caller_ifconfig_domain;
+	typeattribute unconfined_t testsuite_caller_iptables_domain;
+
 	# Transition from the caller to the test domain.
 	allow unconfined_t testsuite_domain:process transition;
 	role unconfined_r types testsuite_domain;
@@ -27,9 +34,26 @@ optional_policy(`
 
 optional_policy(`
 	gen_require(`
+		type sysadm_t;
 		role sysadm_r;
 	')
 
+	typeattribute sysadm_t testsuite_caller_domain;
+	typeattribute sysadm_t testsuite_caller_ifconfig_domain;
+	typeattribute sysadm_t testsuite_caller_iptables_domain;
+	optional_policy(`
+		gen_require(`
+			type ifconfig_t;
+		')
+		typeattribute ifconfig_t testsuite_caller_ifconfig_domain;
+	')
+	optional_policy(`
+		gen_require(`
+			type iptables_t;
+		')
+		typeattribute iptables_t testsuite_caller_iptables_domain;
+	')
+
 	# Authorize sysadm_r for the test domains.
 	role sysadm_r types testsuite_domain;
 
diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te
index 5feb801..47969fc 100644
--- a/policy/test_inet_socket.te
+++ b/policy/test_inet_socket.te
@@ -130,12 +130,8 @@ corenet_inout_generic_node(test_inet_no_name_connect_t)
 #
 
 # For ipsec-load/ipsec-flush.
-gen_require(`
-	type unconfined_t;
-')
 type test_spd_t;
-allow unconfined_t inetsocketdomain:association setcontext;
-allow unconfined_t test_spd_t:association setcontext;
+testsuite_caller_association_setcontext({ inetsocketdomain test_spd_t })
 
 # Each of the test client domains must match against the SPD entry
 # in order to use labeled IPSEC.
@@ -147,7 +143,7 @@ allow test_inet_bad_client_t test_spd_t:association polmatch;
 #
 
 type test_server_packet_t;
-allow unconfined_t test_server_packet_t:packet relabelto;
+testsuite_caller_packet_relabelto(test_server_packet_t)
 allow test_inet_server_t test_server_packet_t:packet { send recv };
 allow test_inet_client_t test_server_packet_t:packet { send recv };
 
diff --git a/policy/test_policy.if b/policy/test_policy.if
index 89ab6f7..5458f6c 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -51,6 +51,22 @@ interface(`testsuite_domain_type_minimal',`
 	dontaudit $1 setrans_var_run_t:dir search;
 ')
 
+interface(`testsuite_caller_association_setcontext',`
+	gen_require(`
+		attribute testsuite_caller_ifconfig_domain;
+	')
+
+	allow testsuite_caller_ifconfig_domain $1:association setcontext;
+')
+
+interface(`testsuite_caller_packet_relabelto',`
+	gen_require(`
+		attribute testsuite_caller_iptables_domain;
+	')
+
+	allow testsuite_caller_iptables_domain $1:packet relabelto;
+')
+
 # Workarounds for refpolicy:
 
 ifdef(`dev_rw_infiniband_dev', `', ` dnl
diff --git a/policy/test_sctp.te b/policy/test_sctp.te
index e276153..8db84a3 100644
--- a/policy/test_sctp.te
+++ b/policy/test_sctp.te
@@ -213,7 +213,7 @@ corenet_inout_generic_if(sctp_asconf_deny_param_add_client_t)
 ######################### SECMARK-specific policy ############################
 #
 type test_sctp_server_packet_t;
-allow unconfined_t test_sctp_server_packet_t:packet { relabelto };
+testsuite_caller_packet_relabelto(test_sctp_server_packet_t)
 allow test_sctp_server_t test_sctp_server_packet_t:packet { send recv };
 allow test_sctp_client_t test_sctp_server_packet_t:packet { send recv };
 
-- 
2.37.1

[PATCH testsuite 17/24] test_general.te: generalize the dontaudit rule

[Ondrej Mosnacek]

The unconfined_t-specific dontaudit rule here is actually also needed
for sysadm_t, so generalize it to the whole testsuite_caller_domain.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_global.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/test_global.te b/policy/test_global.te
index 3536fbb..91bddd8 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -28,8 +28,6 @@ optional_policy(`
 	allow testsuite_domain unconfined_t:fd use;
 	allow testsuite_domain unconfined_t:fifo_file { read write ioctl getattr };
 	allow testsuite_domain unconfined_t:process { sigchld };
-	# needed for domains outside domain_type()
-	dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh };
 ')
 
 optional_policy(`
@@ -65,6 +63,9 @@ optional_policy(`
 	#selinux_get_fs_mount(sysadm_t)
 ')
 
+# Needed for domains outside domain_type()
+dontaudit testsuite_caller_domain testsuite_domain:process { noatsecure rlimitinh siginh };
+
 # Allow the test domains to access the sysadm terminal.
 # This allows read and write sysadm ttys and ptys.
 term_use_all_terms(testsuite_domain)
-- 
2.37.1

[PATCH testsuite 18/24] policy: don't audit testsuite programs searching the caller's keys

[Ondrej Mosnacek]

During the test such denials may occur. Since they don't affect testing,
prevent them from being audited to have a cleaner AVC log.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_global.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/test_global.te b/policy/test_global.te
index 91bddd8..7d399e6 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -66,6 +66,9 @@ optional_policy(`
 # Needed for domains outside domain_type()
 dontaudit testsuite_caller_domain testsuite_domain:process { noatsecure rlimitinh siginh };
 
+# keys test may trigger search AVCs for root's keys
+dontaudit testsuite_domain testsuite_caller_domain:key { search };
+
 # Allow the test domains to access the sysadm terminal.
 # This allows read and write sysadm ttys and ptys.
 term_use_all_terms(testsuite_domain)
-- 
2.37.1

[PATCH testsuite 19/24] ci: check for unconfined_t AVCs

[Ondrej Mosnacek]

These would likely signify a bug in the testsuite policy. Make sure
there are none.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 .github/workflows/checks.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index 59076cb..96843e4 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -38,5 +38,7 @@ jobs:
         run: while ! vagrant ssh -- true; do sleep 1s; done
       - name: Run SELinux testsuite
         run: vagrant ssh -- sudo make -C /root/testsuite test
+      - name: Check unwanted denials
+        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep unconfined_t'
       - name: Check .gitignore coverage
         run: test "$(vagrant ssh -- sudo git -C /root/testsuite ls-files -o --exclude-standard | wc -l)" -eq 0
-- 
2.37.1

[PATCH testsuite 20/24] tests/binder: check only the type part of the context

[Ondrej Mosnacek]

This will allow running the testsuite from other contexts than the usual
unconfined.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 tests/binder/binder_common.h    |  1 +
 tests/binder/service_provider.c | 31 +++++++++++++++++++------------
 tests/binder/test               |  2 +-
 3 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/tests/binder/binder_common.h b/tests/binder/binder_common.h
index 319b5dd..e516617 100644
--- a/tests/binder/binder_common.h
+++ b/tests/binder/binder_common.h
@@ -14,6 +14,7 @@
 #include <sys/mman.h>
 #include <sys/ioctl.h>
 #include <selinux/selinux.h>
+#include <selinux/context.h>
 #include <linux/android/binder.h>
 #if HAVE_BINDERFS
 #include <linux/android/binderfs.h>
diff --git a/tests/binder/service_provider.c b/tests/binder/service_provider.c
index 56d8a43..f47365c 100644
--- a/tests/binder/service_provider.c
+++ b/tests/binder/service_provider.c
@@ -1,14 +1,14 @@
 #include "binder_common.h"
 
-static char *expected_ctx;
+static char *expected_type;
 static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size);
 
 static void usage(char *progname)
 {
 	fprintf(stderr,
-		"usage:  %s -e expected_ctx] [-f file] [-n] [-m|-p|-t] [-v]\n"
+		"usage:  %s [-e expected_type] [-f file] [-n] [-m|-p|-t] [-v]\n"
 		"Where:\n\t"
-		"-e  Expected security context.\n\t"
+		"-e  Expected security type.\n\t"
 		"-f  Write a line to the file when listening starts.\n\t"
 		"-n  Use the /dev/binderfs name service.\n\t"
 		"-m  Use BPF map fd for transfer.\n\t"
@@ -162,23 +162,30 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size)
 		case BR_TRANSACTION_SEC_CTX: {
 			struct binder_transaction_data_secctx *txn_ctx =
 				(struct binder_transaction_data_secctx *)ptr;
-
 			if (verbose) {
 				printf("\tclient context:\n\t\t%s\n",
 				       (char *)txn_ctx->secctx);
 				print_trans_data(&txn_ctx->transaction_data);
 			}
 
-			if (expected_ctx) {
-				int result = strcmp(expected_ctx,
-						    (char *)txn_ctx->secctx);
-				if (result) {
+			if (expected_type) {
+				context_t ctx = context_new((const char *)txn_ctx->secctx);
+
+				if (!ctx) {
+					fprintf(stderr,
+						"Service Provider context_new: %s\n",
+						strerror(errno));
+					exit(82);
+				}
+
+				if (strcmp(expected_type, context_type_get(ctx))) {
 					fprintf(stderr, "Service Provider received incorrect context:\n");
 					fprintf(stderr, "Expected: %s\nReceived: %s\n",
-						expected_ctx,
-						(char *)txn_ctx->secctx);
+						expected_type,
+						context_type_get(ctx));
 					exit(80);
 				}
+				context_free(ctx);
 			}
 
 			if (txn_ctx->transaction_data.code == TEST_SERVICE_SEND_FD)
@@ -240,14 +247,14 @@ int main(int argc, char **argv)
 	} __attribute__((packed)) writebuf;
 	unsigned int readbuf[32];
 
-	expected_ctx = NULL;
+	expected_type = NULL;
 	fd_type = BINDER_FD;
 	fd_type_str = "SP";
 
 	while ((opt = getopt(argc, argv, "e:f:nvmpt")) != -1) {
 		switch (opt) {
 		case 'e':
-			expected_ctx = optarg;
+			expected_type = optarg;
 			break;
 		case 'f':
 			flag_file = optarg;
diff --git a/tests/binder/test b/tests/binder/test
index 9914759..95af41a 100755
--- a/tests/binder/test
+++ b/tests/binder/test
@@ -163,7 +163,7 @@ if ($test_binder_ctx) {
     $sp_pid = service_start(
         "service_provider",
         "-t test_binder_provider_t",
-        "$n $v -e unconfined_u:unconfined_r:test_binder_client_t:s0-s0:c0.c1023"
+        "$n $v -e test_binder_client_t"
     );
 
 # 8 Verify that authorized client and service provider can communicate with the binder service manager.
-- 
2.37.1

[PATCH testsuite 21/24] tests/overlay: don't hard-code SELinux user of the caller

[Ondrej Mosnacek]

We want to allow the testsuite caller to be other than unconfined, so
extract the user from current context and use it instead of hard-coding
unconfined_u.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 tests/overlay/setup-overlay |  2 +-
 tests/overlay/test          | 34 ++++++++++++++++------------------
 2 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/tests/overlay/setup-overlay b/tests/overlay/setup-overlay
index 4fcd023..3f33499 100755
--- a/tests/overlay/setup-overlay
+++ b/tests/overlay/setup-overlay
@@ -41,7 +41,7 @@ setup () {
 
     # Create upper, work, and overlay directories per container.
     mkdir -p $BASEDIR/container1/upper $BASEDIR/container1/work $BASEDIR/container1/merged
-    chcon -R unconfined_u:object_r:test_overlay_files_ro_t:s0:c10,c20 $BASEDIR/container1
+    chcon -R -t test_overlay_files_ro_t -l s0:c10,c20 $BASEDIR/container1
 
     # Label the container directories to match the container context.
     # This is simply to ensure correct label inheritance on new file
diff --git a/tests/overlay/test b/tests/overlay/test
index 2b28c47..c8367dd 100755
--- a/tests/overlay/test
+++ b/tests/overlay/test
@@ -5,6 +5,10 @@ BEGIN {
     $basedir = $0;
     $basedir =~ s|(.*)/[^/]*|$1|;
 
+    $seuser = `id -Z`;
+    chop($seuser);
+    $seuser =~ s|^(\w+):.*$|$1|;
+
     $isnfs = `stat -f --print %T $basedir`;
 
     # check if kernel supports overlayfs and SELinux labeling
@@ -92,7 +96,7 @@ sub test_4_0 {
     $output = getfilecon("$basedir/container1/upper/writefile");
 
     # Newly created writefile should have s0 MCS Label since it was copied up
-    ok( $output eq "unconfined_u:object_r:test_overlay_files_rwx_t:s0" );
+    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0" );
 }
 
 sub test_4_0_ctx {
@@ -100,8 +104,7 @@ sub test_4_0_ctx {
     $output = getfilecon("$basedir/container1/upper/writefile");
 
     # Newly created writefile should have s0 MCS Label since it was copied up
-    ok( $output eq
-          "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
+    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
 }
 
 sub test_5 {
@@ -127,8 +130,7 @@ sub test_5_1 {
     $output = getfilecon("$basedir/container1/upper/newdir");
 
     # Newly created writedir should have s0:c10,c20 since it was created new
-    ok( $output eq
-          "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
+    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
 }
 
 sub test_5_2 {
@@ -146,8 +148,7 @@ sub test_5_3 {
     $output = getfilecon("$basedir/container1/upper/newdir/touchlink");
 
     # Newly created writelink should have s0:c10,c20 since it was created new
-    ok( $output eq
-          "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
+    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
 }
 
 sub test_6 {
@@ -173,7 +174,7 @@ sub test_7_0 {
     $output = getfilecon("$basedir/container1/upper/writedir/bar");
 
     # Newly created bar should have s0:c10,c20 since it was created new
-    ok( $output eq "unconfined_u:object_r:test_overlay_files_rwx_t:s0" );
+    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0" );
 }
 
 sub test_7_0_ctx {
@@ -181,8 +182,7 @@ sub test_7_0_ctx {
     $output = getfilecon("$basedir/container1/upper/writedir/bar");
 
     # Newly created bar should have s0:c10,c20 since it was created new
-    ok( $output eq
-          "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
+    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
 }
 
 sub test_7_1 {
@@ -200,7 +200,7 @@ sub test_7_1_0 {
     $output = getfilecon("$basedir/container1/upper/writedir/writelink");
 
     # Newly created writelink should have s0:c10,c20 since it was created new
-    ok( $output eq "unconfined_u:object_r:test_overlay_files_rwx_t:s0" );
+    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0" );
 }
 
 sub test_7_1_0_ctx {
@@ -208,8 +208,7 @@ sub test_7_1_0_ctx {
     $output = getfilecon("$basedir/container1/upper/writedir/writelink");
 
     # Newly created writelink should have s0:c10,c20 since it was created new
-    ok( $output eq
-          "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
+    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
 }
 
 sub test_7_2 {
@@ -445,7 +444,7 @@ sub test_42 {
 
     # Newly created writeout should have s0:c10,c20 since it was created new
     ok( $output eq
-          "unconfined_u:object_r:test_overlay_transition_files_t:s0:c10,c20" );
+          "$seuser:object_r:test_overlay_transition_files_t:s0:c10,c20" );
 }
 
 sub test_42_ctx {
@@ -453,8 +452,7 @@ sub test_42_ctx {
     $output = getfilecon("$basedir/container1/upper/transition");
 
     # Newly created writeout should have s0:c10,c20 since it was created new
-    ok( $output eq
-          "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
+    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
 }
 
 sub test_43 {
@@ -822,7 +820,7 @@ sub nocontext_test {
 sub context_test {
 
     cleanup();
-    $context = "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20";
+    $context = "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20";
     print "\n\n=====================================================\n";
     print "Testing mounting overlayfs with context switch\n";
     print "context=$context\n";
@@ -943,7 +941,7 @@ sub context_test {
 sub context_rot_t_test {
 
     cleanup();
-    $context = "unconfined_u:object_r:test_overlay_files_ro_t:s0:c10,c20";
+    $context = "$seuser:object_r:test_overlay_files_ro_t:s0:c10,c20";
     print "\n\n=====================================================\n";
     print "Testing mounting overlayfs with context switch\n";
     print "context=$context\n";
-- 
2.37.1

[PATCH testsuite 22/24] policy: give sysadm_t perms needed to run quotacheck(8)

[Ondrej Mosnacek]

Unfortunately this is not allowed in the Fedora policy currently, so we
need to work around it.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_global.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/test_global.te b/policy/test_global.te
index 7d399e6..2592553 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -58,6 +58,10 @@ optional_policy(`
 	# Allow the test domain to be entered from sysadm_t
 	sysadm_entry_spec_domtrans_to(testsuite_domain)
 
+	# Needed for quotacheck(8) in the filesystem test to succeed
+	fs_remount_xattr_fs(sysadm_t)
+	storage_raw_read_fixed_disk(sysadm_t)
+
 	# Let sysadm_t use runcon to run the test programs in various domains.
 	#allow sysadm_t self:process setexec;
 	#selinux_get_fs_mount(sysadm_t)
-- 
2.37.1

[PATCH testsuite 23/24] tests/vsock_socket: use modprobe to check vsock availability

[Ondrej Mosnacek]

On Fedora sysadm_t is not allowed to create vsock sockets, so the check
would fail. Since modprobing the relevant kernel modules is also a
reliable way to check the general vsock support, use that instead of the
more direct check.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 tests/vsock_socket/.gitignore    |  1 -
 tests/vsock_socket/Makefile      |  2 +-
 tests/vsock_socket/check_vsock.c | 47 --------------------------------
 tests/vsock_socket/test          | 11 ++------
 4 files changed, 4 insertions(+), 57 deletions(-)
 delete mode 100644 tests/vsock_socket/check_vsock.c

diff --git a/tests/vsock_socket/.gitignore b/tests/vsock_socket/.gitignore
index 13eeb1b..f2ad853 100644
--- a/tests/vsock_socket/.gitignore
+++ b/tests/vsock_socket/.gitignore
@@ -1,3 +1,2 @@
 client
 server
-check_vsock
diff --git a/tests/vsock_socket/Makefile b/tests/vsock_socket/Makefile
index bf6ec7b..5266096 100644
--- a/tests/vsock_socket/Makefile
+++ b/tests/vsock_socket/Makefile
@@ -1,4 +1,4 @@
-TARGETS=client server check_vsock
+TARGETS=client server
 
 LDLIBS+= -lselinux
 
diff --git a/tests/vsock_socket/check_vsock.c b/tests/vsock_socket/check_vsock.c
deleted file mode 100644
index 6eecd62..0000000
--- a/tests/vsock_socket/check_vsock.c
+++ /dev/null
@@ -1,47 +0,0 @@
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <unistd.h>
-
-// Must be included after sys/socket.h
-#include <linux/vm_sockets.h>
-
-int main(int argc, char **argv)
-{
-	int sock;
-	struct sockaddr_vm svm;
-
-	sock = socket(AF_VSOCK, SOCK_STREAM, 0);
-	if (sock < 0) {
-		if (errno == EAFNOSUPPORT) {
-			// AF_VSOCK not supported
-			exit(2);
-		} else {
-			perror("socket");
-			exit(1);
-		}
-	}
-
-	bzero(&svm, sizeof(svm));
-	svm.svm_family = AF_VSOCK;
-	svm.svm_port = VMADDR_PORT_ANY;
-	svm.svm_cid = VMADDR_CID_LOCAL;
-
-	if (bind(sock, (struct sockaddr *)&svm, sizeof(svm)) < 0) {
-		if (errno == EADDRNOTAVAIL) {
-			// vsock_loopback not supported
-			close(sock);
-			exit(3);
-		} else {
-			perror("bind");
-			close(sock);
-			exit(1);
-		}
-	}
-
-	close(sock);
-	exit(0);
-}
diff --git a/tests/vsock_socket/test b/tests/vsock_socket/test
index f05b972..9a0d72c 100755
--- a/tests/vsock_socket/test
+++ b/tests/vsock_socket/test
@@ -6,19 +6,14 @@ BEGIN {
     $basedir =~ s|(.*)/[^/]*|$1|;
 
     # check if vsock and vsock_loopback are available
-    $rc = system("$basedir/check_vsock");
-
-    if ( $rc eq 0 ) {
-        plan tests => 12;
-    }
-    elsif ( $rc eq 2 << 8 ) {
+    if ( system("modprobe vsock 2>/dev/null") ne 0 ) {
         plan skip_all => "vsock socket family not supported";
     }
-    elsif ( $rc eq 3 << 8 ) {
+    elsif ( system("modprobe vsock_loopback 2>/dev/null") ne 0 ) {
         plan skip_all => "vsock_loopback transport not supported";
     }
     else {
-        plan skip_all => "unexpected error when checking vsock support";
+        plan tests => 12;
     }
 }
 
-- 
2.37.1

[PATCH testsuite 24/24] ci: add sysadm_t to the test matrix

[Ondrej Mosnacek]

The testsuite should now be passing under the sysadm user as well, so
test it.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 .github/workflows/checks.yml |  4 +++-
 Vagrantfile                  | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index 96843e4..37455ea 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -15,6 +15,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
+        domain: [unconfined_t, sysadm_t]
         env:
           - { version: 35, kernel: default }
           - { version: 36, kernel: default }
@@ -22,6 +23,7 @@ jobs:
     env:
       FEDORA_VERSION: ${{ matrix.env.version }}
       KERNEL_TYPE: ${{ matrix.env.kernel }}
+      ROOT_DOMAIN: ${{ matrix.domain }}
     steps:
       - uses: actions/checkout@v2
       # macOS sometimes allows symlinks to have permissions other than 777,
@@ -39,6 +41,6 @@ jobs:
       - name: Run SELinux testsuite
         run: vagrant ssh -- sudo make -C /root/testsuite test
       - name: Check unwanted denials
-        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep unconfined_t'
+        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep ${{ matrix.domain }}'
       - name: Check .gitignore coverage
         run: test "$(vagrant ssh -- sudo git -C /root/testsuite ls-files -o --exclude-standard | wc -l)" -eq 0
diff --git a/Vagrantfile b/Vagrantfile
index 783df5d..ec3a492 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -51,6 +51,21 @@ Vagrant.configure("2") do |config|
     abort
   end
 
+  extra_commands = ''
+  case ENV['ROOT_DOMAIN']
+  when 'unconfined_t'
+  when 'sysadm_t'
+    extra_commands = <<EOF
+      semanage boolean --modify --on ssh_sysadm_login
+      semanage login --modify -s sysadm_u root
+      semanage login --add -s sysadm_u -r s0-s0:c0.c1023 vagrant
+EOF
+    reboot_cmd = 'reboot'
+  else
+    print("Invalid ROOT_DOMAIN '#{ENV['ROOT_DOMAIN']}'")
+    abort
+  end
+
   config.vm.provision :shell, inline: <<SCRIPT
     dnf install -y #{dnf_opts} \
       --allowerasing \
@@ -79,6 +94,7 @@ Vagrant.configure("2") do |config|
       jfsutils \
       dosfstools \
       #{kernel_pkgs}
+    #{extra_commands}
     #{reboot_cmd}
 SCRIPT
 end
-- 
2.37.1

Re: [PATCH testsuite 00/24] Clean up testsuite policy and support running as sysadm_t

[Ondrej Mosnacek]

On Fri, Jul 29, 2022 at 2:02 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> This series aim for two things:
> 1. Refactor the policy so that it is easier to work with.
> 2. Leverage the refactoring to fully support running the testsuite
>    as sysadm_u:sysadm_r:sysadm_t.
>
> The gist of this work lies in unifying how test domains are defined,
> deduplicating the various boilerplate spread out all across the
> individual files (and not even used consistently), and in abstracting
> the policy caller domain/role away from the individual test policies
> into test_general.te. Some tests also had to be massaged to not
> hard-code unconfined_* and be generic against the context of the
> testsuite caller.
>
> The series also extends the CI to test running the testsuite as sysadm_*
> and also verify that no unconfined_t/sysadm_t unexpected denials are
> produced (which would usually indicate a missing dontaudit rule in the
> testsuite policy).

Lol, I got a bounce for patches 4 and 5 because they are too long :D
Hopefully the list owners can approve them manually. If not, I'll
submit this series as a GitHub PR and post a link here.

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.

Re: [PATCH testsuite 24/24] ci: add sysadm_t to the test matrix

[Topi Miettinen]

On 29.7.2022 15.02, Ondrej Mosnacek wrote:
> The testsuite should now be passing under the sysadm user as well, so
> test it.
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>   .github/workflows/checks.yml |  4 +++-
>   Vagrantfile                  | 16 ++++++++++++++++
>   2 files changed, 19 insertions(+), 1 deletion(-)
> 
> diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
> index 96843e4..37455ea 100644
> --- a/.github/workflows/checks.yml
> +++ b/.github/workflows/checks.yml
> @@ -15,6 +15,7 @@ jobs:
>       strategy:
>         fail-fast: false
>         matrix:
> +        domain: [unconfined_t, sysadm_t]
>           env:
>             - { version: 35, kernel: default }
>             - { version: 36, kernel: default }
> @@ -22,6 +23,7 @@ jobs:
>       env:
>         FEDORA_VERSION: ${{ matrix.env.version }}
>         KERNEL_TYPE: ${{ matrix.env.kernel }}
> +      ROOT_DOMAIN: ${{ matrix.domain }}
>       steps:
>         - uses: actions/checkout@v2
>         # macOS sometimes allows symlinks to have permissions other than 777,
> @@ -39,6 +41,6 @@ jobs:
>         - name: Run SELinux testsuite
>           run: vagrant ssh -- sudo make -C /root/testsuite test
>         - name: Check unwanted denials
> -        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep unconfined_t'
> +        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep ${{ matrix.domain }}'
>         - name: Check .gitignore coverage
>           run: test "$(vagrant ssh -- sudo git -C /root/testsuite ls-files -o --exclude-standard | wc -l)" -eq 0
> diff --git a/Vagrantfile b/Vagrantfile
> index 783df5d..ec3a492 100644
> --- a/Vagrantfile
> +++ b/Vagrantfile
> @@ -51,6 +51,21 @@ Vagrant.configure("2") do |config|
>       abort
>     end
>   
> +  extra_commands = ''
> +  case ENV['ROOT_DOMAIN']
> +  when 'unconfined_t'
> +  when 'sysadm_t'
> +    extra_commands = <<EOF
> +      semanage boolean --modify --on ssh_sysadm_login
> +      semanage login --modify -s sysadm_u root
> +      semanage login --add -s sysadm_u -r s0-s0:c0.c1023 vagrant
> +EOF
> +    reboot_cmd = 'reboot'

Is this line needed?

-Topi

> +  else
> +    print("Invalid ROOT_DOMAIN '#{ENV['ROOT_DOMAIN']}'")
> +    abort
> +  end
> +
>     config.vm.provision :shell, inline: <<SCRIPT
>       dnf install -y #{dnf_opts} \
>         --allowerasing \
> @@ -79,6 +94,7 @@ Vagrant.configure("2") do |config|
>         jfsutils \
>         dosfstools \
>         #{kernel_pkgs}
> +    #{extra_commands}
>       #{reboot_cmd}
>   SCRIPT
>   end

Re: [PATCH testsuite 24/24] ci: add sysadm_t to the test matrix

[Ondrej Mosnacek]

On Sat, Jul 30, 2022 at 10:13 PM Topi Miettinen <toiwoton@gmail.com> wrote:
> On 29.7.2022 15.02, Ondrej Mosnacek wrote:
> > The testsuite should now be passing under the sysadm user as well, so
> > test it.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> >   .github/workflows/checks.yml |  4 +++-
> >   Vagrantfile                  | 16 ++++++++++++++++
> >   2 files changed, 19 insertions(+), 1 deletion(-)
> >
> > diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
> > index 96843e4..37455ea 100644
> > --- a/.github/workflows/checks.yml
> > +++ b/.github/workflows/checks.yml
> > @@ -15,6 +15,7 @@ jobs:
> >       strategy:
> >         fail-fast: false
> >         matrix:
> > +        domain: [unconfined_t, sysadm_t]
> >           env:
> >             - { version: 35, kernel: default }
> >             - { version: 36, kernel: default }
> > @@ -22,6 +23,7 @@ jobs:
> >       env:
> >         FEDORA_VERSION: ${{ matrix.env.version }}
> >         KERNEL_TYPE: ${{ matrix.env.kernel }}
> > +      ROOT_DOMAIN: ${{ matrix.domain }}
> >       steps:
> >         - uses: actions/checkout@v2
> >         # macOS sometimes allows symlinks to have permissions other than 777,
> > @@ -39,6 +41,6 @@ jobs:
> >         - name: Run SELinux testsuite
> >           run: vagrant ssh -- sudo make -C /root/testsuite test
> >         - name: Check unwanted denials
> > -        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep unconfined_t'
> > +        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep ${{ matrix.domain }}'
> >         - name: Check .gitignore coverage
> >           run: test "$(vagrant ssh -- sudo git -C /root/testsuite ls-files -o --exclude-standard | wc -l)" -eq 0
> > diff --git a/Vagrantfile b/Vagrantfile
> > index 783df5d..ec3a492 100644
> > --- a/Vagrantfile
> > +++ b/Vagrantfile
> > @@ -51,6 +51,21 @@ Vagrant.configure("2") do |config|
> >       abort
> >     end
> >
> > +  extra_commands = ''
> > +  case ENV['ROOT_DOMAIN']
> > +  when 'unconfined_t'
> > +  when 'sysadm_t'
> > +    extra_commands = <<EOF
> > +      semanage boolean --modify --on ssh_sysadm_login
> > +      semanage login --modify -s sysadm_u root
> > +      semanage login --add -s sysadm_u -r s0-s0:c0.c1023 vagrant
> > +EOF
> > +    reboot_cmd = 'reboot'
>
> Is this line needed?

Indeed it's not. I used an existing script for setting up MLS policy
on a host as inspiration when writing this and didn't think twice
about whether I also need to preserve the reboot part :) I'll remove
it.

Thanks for the suggestion!

>
> -Topi
>
> > +  else
> > +    print("Invalid ROOT_DOMAIN '#{ENV['ROOT_DOMAIN']}'")
> > +    abort
> > +  end
> > +
> >     config.vm.provision :shell, inline: <<SCRIPT
> >       dnf install -y #{dnf_opts} \
> >         --allowerasing \
> > @@ -79,6 +94,7 @@ Vagrant.configure("2") do |config|
> >         jfsutils \
> >         dosfstools \
> >         #{kernel_pkgs}
> > +    #{extra_commands}
> >       #{reboot_cmd}
> >   SCRIPT
> >   end
>

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.

Re: [PATCH testsuite 00/24] Clean up testsuite policy and support running as sysadm_t

[Ondrej Mosnacek]

On Fri, Jul 29, 2022 at 2:27 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Fri, Jul 29, 2022 at 2:02 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >
> > This series aim for two things:
> > 1. Refactor the policy so that it is easier to work with.
> > 2. Leverage the refactoring to fully support running the testsuite
> >    as sysadm_u:sysadm_r:sysadm_t.
> >
> > The gist of this work lies in unifying how test domains are defined,
> > deduplicating the various boilerplate spread out all across the
> > individual files (and not even used consistently), and in abstracting
> > the policy caller domain/role away from the individual test policies
> > into test_general.te. Some tests also had to be massaged to not
> > hard-code unconfined_* and be generic against the context of the
> > testsuite caller.
> >
> > The series also extends the CI to test running the testsuite as sysadm_*
> > and also verify that no unconfined_t/sysadm_t unexpected denials are
> > produced (which would usually indicate a missing dontaudit rule in the
> > testsuite policy).
>
> Lol, I got a bounce for patches 4 and 5 because they are too long :D
> Hopefully the list owners can approve them manually. If not, I'll
> submit this series as a GitHub PR and post a link here.

The patches are still not there, so opened a pull request:
https://github.com/SELinuxProject/selinux-testsuite/pull/82

One can fetch the contents of the PR in the git-format-patch format
through the following URL:
https://github.com/SELinuxProject/selinux-testsuite/pull/82.patch

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.

Re: [PATCH testsuite 08/24] policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy

[Daniel Burgener]

On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote:
> This is good to have for pretty much all domains, so remove the
> individual calls and move it to test_general.te.
> 

For whatever reason, test_sysnice.te uses

domain_transition_pattern(sysadm_t, test_file_t, setnicedomain)

instead of userdom_sysadm_entry_spec_domtrans_to().  I think the access 
added in the global attribute here covers that and the 
domain_transition_pattern() there can be deleted as well.

Between that and the change to test_setnice.te in Patch 9, this comment 
above those two lines seems obsolete and can probably be deleted:

# Allow all of these domains to be entered from sysadm domain
# via a shell script in the test directory or by....

-Daniel

Re: [PATCH testsuite 09/24] policy: move miscfiles_domain_entry_test_files() to general policy

[Daniel Burgener]

On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote:
> This is good to have for pretty much all domains, so remove the
> individual calls and move it to test_general.te.
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>   policy/test_binder.te                | 5 -----
>   policy/test_binder_bpf.te            | 5 -----
>   policy/test_bounds.te                | 1 -
>   policy/test_bpf.te                   | 5 -----
>   policy/test_cap_userns.te            | 1 -
>   policy/test_capable_file.te          | 1 -
>   policy/test_dyntrace.te              | 1 -
>   policy/test_dyntrans.te              | 4 ----
>   policy/test_execshare.te             | 3 ---
>   policy/test_exectrace.te             | 3 ---
>   policy/test_extended_socket_class.te | 3 ---
>   policy/test_fdreceive.te             | 3 ---
>   policy/test_fdreceive_bpf.te         | 3 ---
>   policy/test_file.te                  | 3 ---
>   policy/test_filesystem.te            | 5 -----
>   policy/test_global.te                | 4 +++-
>   policy/test_ibendport.te             | 3 ---
>   policy/test_ibpkey.te                | 3 ---
>   policy/test_inet_socket.te           | 3 ---
>   policy/test_inherit.te               | 3 ---
>   policy/test_ioctl.te                 | 1 -
>   policy/test_ipc.te                   | 1 -
>   policy/test_key_socket.te            | 5 -----
>   policy/test_keys.te                  | 5 -----
>   policy/test_mmap.te                  | 3 ---
>   policy/test_module_load.te           | 5 -----
>   policy/test_mqueue.te                | 3 ---
>   policy/test_netlink_socket.te        | 3 ---
>   policy/test_notify.te                | 2 --
>   policy/test_open.te                  | 3 ---
>   policy/test_perf_event.te            | 5 -----
>   policy/test_prlimit.te               | 7 -------
>   policy/test_ptrace.te                | 4 ----
>   policy/test_sctp.te                  | 5 -----
>   policy/test_setnice.te               | 1 -
>   policy/test_sigkill.te               | 1 -
>   policy/test_task_create.te           | 5 -----
>   policy/test_task_getpgid.te          | 3 ---
>   policy/test_task_getsched.te         | 3 ---
>   policy/test_task_getsid.te           | 3 ---
>   policy/test_task_setpgid.te          | 3 ---
>   policy/test_task_setsched.te         | 3 ---
>   policy/test_tun_tap.te               | 5 -----
>   policy/test_unix_socket.te           | 3 ---
>   policy/test_userfaultfd.te           | 3 ---
>   policy/test_vsock_socket.te          | 3 ---
>   policy/test_watchkey.te              | 5 -----
>   47 files changed, 3 insertions(+), 152 deletions(-)
> 
> diff --git a/policy/test_binder.te b/policy/test_binder.te
> index 096c467..4c7974a 100644
> --- a/policy/test_binder.te
> +++ b/policy/test_binder.te
> @@ -94,8 +94,3 @@ allow test_binder_client_no_transfer_t test_binder_mgr_t:binder { call };
>   allow test_binder_client_no_transfer_t test_binder_provider_t:binder { call impersonate };
>   allow test_binder_client_no_transfer_t device_t:chr_file { getattr ioctl open read write };
>   allow_map(test_binder_client_no_transfer_t, device_t, chr_file)
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(binderdomain)
> diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te
> index 2d91af2..fa79320 100644
> --- a/policy/test_binder_bpf.te
> +++ b/policy/test_binder_bpf.te
> @@ -57,8 +57,3 @@ allow test_binder_client_no_bpf_perm_t test_binder_bpf_mgr_t:binder { call };
>   allow test_binder_client_no_bpf_perm_t test_binder_bpf_provider_t:fd { use };
>   allow test_binder_client_no_bpf_perm_t device_t:chr_file { getattr ioctl open read write };
>   allow_map(test_binder_client_no_bpf_perm_t, device_t, chr_file)
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(binderbpfdomain)
> diff --git a/policy/test_bounds.te b/policy/test_bounds.te
> index 60fbd0b..d132d8a 100644
> --- a/policy/test_bounds.te
> +++ b/policy/test_bounds.te
> @@ -63,5 +63,4 @@ allow test_bounds_child_domain test_bounds_file_green_t : file { getattr setattr
>   allow test_bounds_child_domain test_bounds_file_blue_t : file { getattr setattr };
>   
>   # Allow all of these domains to be entered from sysadm domain
> -miscfiles_domain_entry_test_files(test_bounds_domain)
>   sysadm_entry_spec_domtrans(test_bounds_domain)
> diff --git a/policy/test_bpf.te b/policy/test_bpf.te
> index fb21c29..5eab0bd 100644
> --- a/policy/test_bpf.te
> +++ b/policy/test_bpf.te
> @@ -57,8 +57,3 @@ typeattribute test_bpf_deny_prog_run_t bpfdomain;
>   allow test_bpf_deny_prog_run_t self:process { setrlimit };
>   allow test_bpf_deny_prog_run_t self:capability { sys_resource sys_admin };
>   allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load };
> -
> -#
> -############ Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(bpfdomain)
> diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
> index fa90528..cfa510c 100644
> --- a/policy/test_cap_userns.te
> +++ b/policy/test_cap_userns.te
> @@ -19,7 +19,6 @@ testsuite_domain_type(test_no_cap_userns_t)
>   typeattribute test_no_cap_userns_t capusernsdomain;
>   
>   # Rules common to both domains.
> -miscfiles_domain_entry_test_files(capusernsdomain)
>   corecmd_exec_bin(capusernsdomain)
>   
>   # linux >= v5.12 needs setfcap to map UID 0
> diff --git a/policy/test_capable_file.te b/policy/test_capable_file.te
> index 9ce9487..2383f6e 100644
> --- a/policy/test_capable_file.te
> +++ b/policy/test_capable_file.te
> @@ -39,7 +39,6 @@ libs_exec_ld_so(capabledomain)
>   libs_exec_lib_files(capabledomain)
>   
>   # Allow test_file_t and bin_t to be entered from sysadm role
> -miscfiles_domain_entry_test_files(capabledomain)
>   corecmd_bin_entry_type(capabledomain)
>   sysadm_bin_spec_domtrans_to(capabledomain)
>   
> diff --git a/policy/test_dyntrace.te b/policy/test_dyntrace.te
> index 0a598a4..09f983a 100644
> --- a/policy/test_dyntrace.te
> +++ b/policy/test_dyntrace.te
> @@ -25,7 +25,6 @@ testsuite_domain_type(test_dyntrace_notchild_t)
>   typeattribute test_dyntrace_notchild_t dyntracedomain;
>   
>   # Allow test_files_t to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(dyntracedomain)
>   miscfiles_exec_test_files(dyntracedomain)
>   
>   # Grant the necessary permissions for the child domain.
> diff --git a/policy/test_dyntrans.te b/policy/test_dyntrans.te
> index e4110c5..73fe77d 100644
> --- a/policy/test_dyntrans.te
> +++ b/policy/test_dyntrans.te
> @@ -23,7 +23,3 @@ typeattribute test_dyntrans_todomain_t dyntransdomain;
>   
>   # Allow the fromdomain to dyntrans to the new domain.
>   allow test_dyntrans_fromdomain_t test_dyntrans_todomain_t:process dyntransition;
> -
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(dyntransdomain)
> -
> diff --git a/policy/test_execshare.te b/policy/test_execshare.te
> index 22ed09f..c127662 100644
> --- a/policy/test_execshare.te
> +++ b/policy/test_execshare.te
> @@ -20,9 +20,6 @@ type test_execshare_notchild_t;
>   testsuite_domain_type(test_execshare_notchild_t);
>   typeattribute test_execshare_notchild_t execsharedomain;
>   
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(execsharedomain)
> -
>   # Grant the necessary permissions for the child domain.
>   domain_entry_file_spec_domtrans(test_execshare_parent_t, test_execshare_child_t)
>   allow test_execshare_parent_t test_execshare_child_t:fd use;
> diff --git a/policy/test_exectrace.te b/policy/test_exectrace.te
> index 302ba80..d5b74ad 100644
> --- a/policy/test_exectrace.te
> +++ b/policy/test_exectrace.te
> @@ -23,9 +23,6 @@ type test_exectrace_notchild_t;
>   testsuite_domain_type(test_exectrace_notchild_t)
>   typeattribute test_exectrace_notchild_t exectracedomain;
>   
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(exectracedomain)
> -
>   # Grant the necessary permissions for the child domain.
>   domain_entry_file_spec_domtrans(test_exectrace_parent_t, test_exectrace_child_t)
>   allow test_exectrace_parent_t test_exectrace_child_t:fd use;
> diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te
> index 681a71d..c8840b4 100644
> --- a/policy/test_extended_socket_class.te
> +++ b/policy/test_extended_socket_class.te
> @@ -54,6 +54,3 @@ extended_socket_class_test(alg_socket, socket)
>   
>   # Trigger kernel module auto-loading of the network protocol implementations.
>   kernel_request_load_module(extsocktestdomain)
> -
> -# Entry into the test domains via the test program.
> -miscfiles_domain_entry_test_files(extsocktestdomain)
> diff --git a/policy/test_fdreceive.te b/policy/test_fdreceive.te
> index 9987503..df9e974 100644
> --- a/policy/test_fdreceive.te
> +++ b/policy/test_fdreceive.te
> @@ -30,9 +30,6 @@ type test_fdreceive_server_t;
>   testsuite_domain_type(test_fdreceive_server_t);
>   typeattribute test_fdreceive_server_t fdreceivedomain;
>   
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(fdreceivedomain)
> -
>   # Grant the necessary permissions for the server domain.
>   ## Create the Unix domain socket file.
>   allow test_fdreceive_server_t test_file_t:dir rw_dir_perms;
> diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te
> index 264a703..fd633ae 100644
> --- a/policy/test_fdreceive_bpf.te
> +++ b/policy/test_fdreceive_bpf.te
> @@ -48,6 +48,3 @@ allow test_fdreceive_bpf_client3_t self:process { setrlimit };
>   # Server side rules:
>   allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use };
>   allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write };
> -
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(fdreceivebpfdomain)
> diff --git a/policy/test_file.te b/policy/test_file.te
> index 9acc211..5bb0398 100644
> --- a/policy/test_file.te
> +++ b/policy/test_file.te
> @@ -53,9 +53,6 @@ libs_use_shared_libs(fileopdomain)
>   libs_exec_ld_so(fileopdomain)
>   libs_exec_lib_files(fileopdomain)
>   
> -# Allow all of these domains to be entered from sysadm domain
> -miscfiles_domain_entry_test_files(fileopdomain)
> -
>   corecmd_bin_entry_type(fileopdomain)
>   sysadm_bin_spec_domtrans_to(fileopdomain)
>   
> diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
> index fd06d5d..5de489c 100644
> --- a/policy/test_filesystem.te
> +++ b/policy/test_filesystem.te
> @@ -408,8 +408,3 @@ allow test_filesystem_no_mount_t dosfs_t:filesystem { associate };
>   allow test_filesystem_no_remount_t dosfs_t:filesystem { associate };
>   allow test_filesystem_no_unmount_t dosfs_t:filesystem { associate };
>   allow test_move_mount_no_mounton_t dosfs_t:filesystem { associate };
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(filesystemdomain)
> diff --git a/policy/test_global.te b/policy/test_global.te
> index 5ef3b02..667c272 100644
> --- a/policy/test_global.te
> +++ b/policy/test_global.te
> @@ -51,8 +51,10 @@ allow testsuite_domain self:capability { dac_override dac_read_search };
>   #allow sysadm_t self:process setexec;
>   #selinux_get_fs_mount(sysadm_t)
>   
> -# Let all test domains read test directories and files.
> +# Let all test domains read test directories and files and to use test
> +# files as entry points.
>   miscfiles_read_test_files(testsuite_domain)
> +miscfiles_domain_entry_test_files(testsuite_domain)
>   
>   # Let the test domains set their current, exec and fscreate contexts.
>   allow testsuite_domain self:process setcurrent;
> diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
> index a403be0..ccfea28 100644
> --- a/policy/test_ibendport.te
> +++ b/policy/test_ibendport.te
> @@ -29,6 +29,3 @@ corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
>   ')
>   
>   allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_subnet;
> -
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(ibendportdomain)
> diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te
> index de0f5e1..863ff16 100644
> --- a/policy/test_ibpkey.te
> +++ b/policy/test_ibpkey.te
> @@ -22,6 +22,3 @@ corenet_ib_pkey(test_ibpkey_t)
>   ifdef(`corenet_ib_access_unlabeled_pkeys',`
>   corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t)
>   ')
> -
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(ibpkeydomain)
> diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te
> index dd0e83c..5feb801 100644
> --- a/policy/test_inet_socket.te
> +++ b/policy/test_inet_socket.te
> @@ -158,6 +158,3 @@ allow test_inet_client_t test_server_packet_t:packet { send recv };
>   # Send/recv unlabeled packets.
>   kernel_sendrecv_unlabeled_packets(inetsocketdomain)
>   kernel_recvfrom_unlabeled_peer(inetsocketdomain)
> -
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(inetsocketdomain)
> diff --git a/policy/test_inherit.te b/policy/test_inherit.te
> index 15ab8fc..da26ea3 100644
> --- a/policy/test_inherit.te
> +++ b/policy/test_inherit.te
> @@ -31,9 +31,6 @@ type test_inherit_nowrite_t;
>   testsuite_domain_type(test_inherit_nowrite_t)
>   typeattribute test_inherit_nowrite_t inheritdomain;
>   
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(inheritdomain)
> -
>   # Grant the necessary permissions for the parent domain.
>   allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms;
>   
> diff --git a/policy/test_ioctl.te b/policy/test_ioctl.te
> index 955695d..dc645f4 100644
> --- a/policy/test_ioctl.te
> +++ b/policy/test_ioctl.te
> @@ -30,7 +30,6 @@ libs_exec_lib_files(ioctldomain)
>   
>   # Allow all of these domains to be entered from sysadm domain
>   # via a shell script in the test directory or by....
> -miscfiles_domain_entry_test_files(ioctldomain)
>   corecmd_bin_entry_type(ioctldomain)
>   sysadm_bin_spec_domtrans_to(ioctldomain)
>   
> diff --git a/policy/test_ipc.te b/policy/test_ipc.te
> index f68d35c..21d997b 100644
> --- a/policy/test_ipc.te
> +++ b/policy/test_ipc.te
> @@ -67,7 +67,6 @@ fs_rw_tmpfs_files(ipcdomain)
>   
>   # Allow all of these domains to be entered from user domains.
>   # via a shell script in the test directory or by another program.
> -miscfiles_domain_entry_test_files(ipcdomain)
>   corecmd_bin_entry_type(ipcdomain)
>   sysadm_bin_spec_domtrans_to(ipcdomain)
>   
> diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te
> index 2763472..27a1545 100644
> --- a/policy/test_key_socket.te
> +++ b/policy/test_key_socket.te
> @@ -48,10 +48,5 @@ typeattribute test_key_sock_no_read_t keysockdomain;
>   allow test_key_sock_no_read_t self:capability { net_admin };
>   allow test_key_sock_no_read_t self:key_socket { create write setopt };
>   
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(keysockdomain)
> -
>   # For CONFIG_NET_KEY=m
>   kernel_request_load_module(keysockdomain)
> diff --git a/policy/test_keys.te b/policy/test_keys.te
> index de1b46c..250950e 100644
> --- a/policy/test_keys.te
> +++ b/policy/test_keys.te
> @@ -164,8 +164,3 @@ typeattribute test_request_keys_no_link_t keydomain;
>   
>   allow test_request_keys_no_link_t self:key { create write search read view link setattr };
>   allow test_request_keys_no_link_t test_keyring_service_t:key { read write search view setattr };
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(keydomain)
> diff --git a/policy/test_mmap.te b/policy/test_mmap.te
> index eb59dbe..d0850cc 100644
> --- a/policy/test_mmap.te
> +++ b/policy/test_mmap.te
> @@ -152,6 +152,3 @@ testsuite_domain_type(test_no_execmod_t)
>   typeattribute test_no_execmod_t mmaptestdomain;
>   allow test_no_execmod_t test_mmap_file_t:file { open read execute };
>   allow_map(test_no_execmod_t, test_mmap_file_t, file)
> -
> -# Allow entrypoint via the test programs.
> -miscfiles_domain_entry_test_files(mmaptestdomain)
> diff --git a/policy/test_module_load.te b/policy/test_module_load.te
> index 770b2dd..a856706 100644
> --- a/policy/test_module_load.te
> +++ b/policy/test_module_load.te
> @@ -41,8 +41,3 @@ allow test_kmodule_deny_module_request_t test_file_t:system { module_load };
>   allow test_kmodule_deny_module_request_t self:system { module_load };
>   allow_lockdown_integrity(test_kmodule_deny_module_request_t)
>   neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request };
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(kmoduledomain)
> diff --git a/policy/test_mqueue.te b/policy/test_mqueue.te
> index ea3fa68..65ffe6d 100644
> --- a/policy/test_mqueue.te
> +++ b/policy/test_mqueue.te
> @@ -55,9 +55,6 @@ type mqop_mqrw_t;
>   files_type(mqop_mqrw_t)
>   
>   
> -# basic permision for all mqopdomains
> -miscfiles_domain_entry_test_files(mqopdomain)
> -
>   corecmd_bin_entry_type(mqopdomain)
>   sysadm_bin_spec_domtrans_to(mqopdomain)
>   
> diff --git a/policy/test_netlink_socket.te b/policy/test_netlink_socket.te
> index 589e372..b6d39c2 100644
> --- a/policy/test_netlink_socket.te
> +++ b/policy/test_netlink_socket.te
> @@ -41,8 +41,5 @@ netlink_socket_test(netlink_crypto_socket)
>   # Common rules for all netlink socket class test domains.
>   #
>   
> -# Entry into the test domains via the test program.
> -miscfiles_domain_entry_test_files(netlinksocktestdomain)
> -
>   # Trigger kernel module auto-loading of the protocol implementations.
>   kernel_request_load_module(netlinksocktestdomain)
> diff --git a/policy/test_notify.te b/policy/test_notify.te
> index 4ffd287..fe60274 100644
> --- a/policy/test_notify.te
> +++ b/policy/test_notify.te
> @@ -73,5 +73,3 @@ testsuite_domain_type(test_rdonly_t)
>   typeattribute test_rdonly_t test_notify_domain;
>   
>   allow test_rdonly_t test_notify_file_t:dir { read open watch };
> -
> -miscfiles_domain_entry_test_files(test_notify_domain)
> diff --git a/policy/test_open.te b/policy/test_open.te
> index 0d662f0..f01a5fe 100644
> --- a/policy/test_open.te
> +++ b/policy/test_open.te
> @@ -28,6 +28,3 @@ type test_append_t;
>   testsuite_domain_type(test_append_t)
>   typeattribute test_append_t test_open_domain;
>   allow test_append_t test_open_file_t:file append_file_perms;
> -
> -# Allow all of these domains to be entered from sysadm domain
> -miscfiles_domain_entry_test_files(test_open_domain)
> diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
> index 8a914ff..5db46cd 100644
> --- a/policy/test_perf_event.te
> +++ b/policy/test_perf_event.te
> @@ -70,8 +70,3 @@ typeattribute test_perf_no_write_t perfdomain;
>   allow test_perf_no_write_t self:capability2 { perfmon };
>   allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read };
>   allow_lockdown_confidentiality(test_perf_no_write_t)
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(perfdomain)
> diff --git a/policy/test_prlimit.te b/policy/test_prlimit.te
> index 4b6a5c8..b0314f3 100644
> --- a/policy/test_prlimit.te
> +++ b/policy/test_prlimit.te
> @@ -36,10 +36,3 @@ spec_domtrans_pattern(test_no_$1_t, test_file_t, test_$1_child_t)
>   
>   prlimit_test(setrlimit)
>   prlimit_test(getrlimit)
> -
> -#
> -# Common rules for all prlimit test domains.
> -#
> -
> -# Entry into the test domains via the test program.
> -miscfiles_domain_entry_test_files(prlimittestdomain)
> diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te
> index f327cc5..8c1d71c 100644
> --- a/policy/test_ptrace.te
> +++ b/policy/test_ptrace.te
> @@ -33,10 +33,6 @@ userdom_search_user_home_dirs(test_ptrace_traced_t)
>   # Let the tracer wait on the traced domain.
>   allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;
>   
> -# Allow all of these domains to be entered from the sysadm domains.
> -# via a program in the test directory.
> -miscfiles_domain_entry_test_files(ptracedomain)
> -
>   # Allow execution of helper programs.
>   corecmd_exec_bin(ptracedomain)
>   domain_exec_all_entry_files(ptracedomain)
> diff --git a/policy/test_sctp.te b/policy/test_sctp.te
> index 7b24b8c..e276153 100644
> --- a/policy/test_sctp.te
> +++ b/policy/test_sctp.te
> @@ -229,8 +229,3 @@ allow sctpsocketdomain proc_net_t:file { read };
>   allow sctpsocketdomain sysctl_net_t:dir { search };
>   allow sctpsocketdomain self:udp_socket { create };
>   allow sctpsocketdomain self:unix_dgram_socket { create ioctl };
> -
> -#
> -############ Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(sctpsocketdomain)
> diff --git a/policy/test_setnice.te b/policy/test_setnice.te
> index 34a2e73..2c34643 100644
> --- a/policy/test_setnice.te
> +++ b/policy/test_setnice.te
> @@ -31,7 +31,6 @@ libs_exec_lib_files(setnicedomain)
>   
>   # Allow all of these domains to be entered from sysadm domain
>   # via a shell script in the test directory or by....
> -miscfiles_domain_entry_test_files(setnicedomain)
>   domain_transition_pattern(sysadm_t, test_file_t, setnicedomain)
>   domain_transition_pattern(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t})
>   allow test_setnice_change_t test_setnice_set_t:fd use;
> diff --git a/policy/test_sigkill.te b/policy/test_sigkill.te
> index 04bed89..1aaa0af 100644
> --- a/policy/test_sigkill.te
> +++ b/policy/test_sigkill.te
> @@ -40,7 +40,6 @@ allow test_kill_signal_t test_kill_server_t:process signal;
>   
>   # Allow all of these domains to be entered from the sysadm domains,
>   # via kill or a program in the test directory.
> -miscfiles_domain_entry_test_files(killdomain)
>   corecmd_bin_entry_type(killdomain)
>   sysadm_bin_spec_domtrans_to(killdomain)

Sorry for splitting these comments across patches 8 and 9.  They kind of 
go with both.  This sysadm_bin_spec_domtrans_to() seems redundant as 
well, and in that case the comment above can probably be 
shortened/reworded to only apply to the corecmd_bin_entry_type()

>   
> diff --git a/policy/test_task_create.te b/policy/test_task_create.te
> index 54acb50..b90b2e3 100644
> --- a/policy/test_task_create.te
> +++ b/policy/test_task_create.te
> @@ -20,8 +20,3 @@ type test_create_no_t;
>   # as it makes the permission effectively unusable in real policy.
>   testsuite_domain_type_minimal(test_create_no_t)
>   typeattribute test_create_no_t test_create_d;
> -
> -# General rules for the test_create_d
> -
> -# Allow domain to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(test_create_d)
> diff --git a/policy/test_task_getpgid.te b/policy/test_task_getpgid.te
> index dad584e..4c499f7 100644
> --- a/policy/test_task_getpgid.te
> +++ b/policy/test_task_getpgid.te
> @@ -24,8 +24,5 @@ type test_getpgid_no_t;
>   testsuite_domain_type(test_getpgid_no_t)
>   typeattribute test_getpgid_no_t test_getpgid_d;
>   
> -# Allow domain to be entered from the sysadm domain
> -miscfiles_domain_entry_test_files(test_getpgid_d)
> -
>   # Give test_getpgid_yes_t the permission needed.
>   allow test_getpgid_yes_t test_getpgid_target_t:process getpgid;
> diff --git a/policy/test_task_getsched.te b/policy/test_task_getsched.te
> index f541d58..98b267f 100644
> --- a/policy/test_task_getsched.te
> +++ b/policy/test_task_getsched.te
> @@ -24,8 +24,5 @@ type test_getsched_no_t;
>   testsuite_domain_type(test_getsched_no_t)
>   typeattribute test_getsched_no_t test_getsched_d;
>   
> -# Allow domain to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(test_getsched_d)
> -
>   # Give test_getsched_yes_t the permission needed.
>   allow test_getsched_yes_t test_getsched_target_t:process getsched;
> diff --git a/policy/test_task_getsid.te b/policy/test_task_getsid.te
> index 8c21d9a..b53d454 100644
> --- a/policy/test_task_getsid.te
> +++ b/policy/test_task_getsid.te
> @@ -24,8 +24,5 @@ type test_getsid_no_t;
>   testsuite_domain_type(test_getsid_no_t)
>   typeattribute test_getsid_no_t test_getsid_d;
>   
> -# Allow domain to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(test_getsid_d)
> -
>   # Give test_getsid_yes_t the permission needed.
>   allow test_getsid_yes_t test_getsid_target_t:process getsession;
> diff --git a/policy/test_task_setpgid.te b/policy/test_task_setpgid.te
> index 25e06d4..bb8afa7 100644
> --- a/policy/test_task_setpgid.te
> +++ b/policy/test_task_setpgid.te
> @@ -15,6 +15,3 @@ typeattribute test_setpgid_yes_t test_setpgid_d;
>   type test_setpgid_no_t;
>   testsuite_domain_type_minimal(test_setpgid_no_t)
>   typeattribute test_setpgid_no_t test_setpgid_d;
> -
> -# Allow domain to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(test_setpgid_d)
> diff --git a/policy/test_task_setsched.te b/policy/test_task_setsched.te
> index 432135e..3e75cf6 100644
> --- a/policy/test_task_setsched.te
> +++ b/policy/test_task_setsched.te
> @@ -26,9 +26,6 @@ type test_setsched_no_t;
>   testsuite_domain_type(test_setsched_no_t)
>   typeattribute test_setsched_no_t test_setsched_d;
>   
> -# Allow domain to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(test_setsched_d)
> -
>   # Allow these domains to execute renice.
>   corecmd_bin_entry_type(test_setsched_d)
>   
> diff --git a/policy/test_tun_tap.te b/policy/test_tun_tap.te
> index e1aef8d..28efc10 100644
> --- a/policy/test_tun_tap.te
> +++ b/policy/test_tun_tap.te
> @@ -91,8 +91,3 @@ allow test_newcon_no_from_tun_tap_t self:tun_socket { relabelto };
>   # For switch back on error:
>   allow test_tun_tap_t test_newcon_no_from_tun_tap_t:fd { use };
>   allow test_newcon_no_from_tun_tap_t test_tun_tap_t:process { dyntransition };
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(tuntapdomain)
> diff --git a/policy/test_unix_socket.te b/policy/test_unix_socket.te
> index 69720f0..f4e9e41 100644
> --- a/policy/test_unix_socket.te
> +++ b/policy/test_unix_socket.te
> @@ -58,6 +58,3 @@ allow test_unix_server_t test_unix_dgram_client_t:unix_dgram_socket sendto;
>   type test_socketpair_t;
>   testsuite_domain_type(test_socketpair_t)
>   typeattribute test_socketpair_t unixsocketdomain;
> -
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(unixsocketdomain)
> diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
> index 5cb7d1c..f5a6613 100644
> --- a/policy/test_userfaultfd.te
> +++ b/policy/test_userfaultfd.te
> @@ -45,6 +45,3 @@ userfaultfd_domain_type(test_noread_uffd_t)
>   
>   # userfaultfd(2) requires CAP_SYS_PTRACE
>   allow test_uffd_domain self:capability { sys_ptrace };
> -
> -# Allow all of these domains to be executed
> -miscfiles_domain_entry_test_files(test_uffd_domain)
> diff --git a/policy/test_vsock_socket.te b/policy/test_vsock_socket.te
> index 4bb989a..dbd47f4 100644
> --- a/policy/test_vsock_socket.te
> +++ b/policy/test_vsock_socket.te
> @@ -42,6 +42,3 @@ vsock_client(noread, connect create getattr getopt setopt shutdown write)
>   vsock_client(nogetattr, connect create getopt setopt read shutdown write)
>   vsock_client(nogetopt, connect create getattr setopt read shutdown write)
>   vsock_client(nosetopt, connect create getattr getopt read shutdown write)
> -
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(vsocksocketdomain)
> diff --git a/policy/test_watchkey.te b/policy/test_watchkey.te
> index 101d68a..a85bd20 100644
> --- a/policy/test_watchkey.te
> +++ b/policy/test_watchkey.te
> @@ -15,8 +15,3 @@ allow test_watchkey_t self:key { view };
>   type test_watchkey_no_view_t;
>   testsuite_domain_type(test_watchkey_no_view_t)
>   typeattribute test_watchkey_no_view_t watchkeydomain;
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(watchkeydomain)

Re: [PATCH testsuite 11/24] test_general.te: move sysadm-related rules into an optional block

[Daniel Burgener]

On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote:
> That should allow running selinux-testsuite with the sysadm module
> disabled.
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>   policy/test_global.te | 26 ++++++++++++++------------
>   1 file changed, 14 insertions(+), 12 deletions(-)
> 
> diff --git a/policy/test_global.te b/policy/test_global.te
> index aceac48..3862ee7 100644
> --- a/policy/test_global.te
> +++ b/policy/test_global.te
> @@ -25,12 +25,21 @@ optional_policy(`
>   	dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh };
>   ')
>   
> -gen_require(`
> -	role sysadm_r;
> -')
> +optional_policy(`
> +	gen_require(`
> +		role sysadm_r;
> +	')
> +
> +	# Authorize sysadm_r for the test domains.
> +	role sysadm_r types testsuite_domain;
>   
> -# Authorize sysadm_r for the test domains.
> -role sysadm_r types testsuite_domain;
> +	# Allow the test domain to be entered from sysadm_t
> +	sysadm_entry_spec_domtrans_to(testsuite_domain)
> +
> +	# Let sysadm_t use runcon to run the test programs in various domains.
> +	#allow sysadm_t self:process setexec;
> +	#selinux_get_fs_mount(sysadm_t)
> +')

These commented out rules can probably just be removed entirely instead 
of being moved into the optional block?

-Daniel

>   
>   # Allow the test domains to access the sysadm terminal.
>   # This allows read and write sysadm ttys and ptys.
> @@ -40,17 +49,10 @@ term_use_all_terms(testsuite_domain)
>   allow testsuite_domain init_t:fd use;
>   allow testsuite_domain initrc_t:fd use;
>   
> -# Allow the test domain to be entered from sysadm_t
> -sysadm_entry_spec_domtrans_to(testsuite_domain)
> -
>   # Allow the test domains to access the test directory and files
>   # even if they are not root owned.
>   allow testsuite_domain self:capability { dac_override dac_read_search };
>   
> -# Let sysadm_t use runcon to run the test programs in various domains.
> -#allow sysadm_t self:process setexec;
> -#selinux_get_fs_mount(sysadm_t)
> -
>   # Let all test domains read test directories and files and to use test
>   # files as entry points.
>   miscfiles_read_test_files(testsuite_domain)

Re: [PATCH testsuite 21/24] tests/overlay: don't hard-code SELinux user of the caller

[Daniel Burgener]

On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote:
> We want to allow the testsuite caller to be other than unconfined, so
> extract the user from current context and use it instead of hard-coding
> unconfined_u.
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>   tests/overlay/setup-overlay |  2 +-
>   tests/overlay/test          | 34 ++++++++++++++++------------------
>   2 files changed, 17 insertions(+), 19 deletions(-)
> 
> diff --git a/tests/overlay/setup-overlay b/tests/overlay/setup-overlay
> index 4fcd023..3f33499 100755
> --- a/tests/overlay/setup-overlay
> +++ b/tests/overlay/setup-overlay
> @@ -41,7 +41,7 @@ setup () {
>   
>       # Create upper, work, and overlay directories per container.
>       mkdir -p $BASEDIR/container1/upper $BASEDIR/container1/work $BASEDIR/container1/merged
> -    chcon -R unconfined_u:object_r:test_overlay_files_ro_t:s0:c10,c20 $BASEDIR/container1
> +    chcon -R -t test_overlay_files_ro_t -l s0:c10,c20 $BASEDIR/container1
>   
>       # Label the container directories to match the container context.
>       # This is simply to ensure correct label inheritance on new file
> diff --git a/tests/overlay/test b/tests/overlay/test
> index 2b28c47..c8367dd 100755
> --- a/tests/overlay/test
> +++ b/tests/overlay/test
> @@ -5,6 +5,10 @@ BEGIN {
>       $basedir = $0;
>       $basedir =~ s|(.*)/[^/]*|$1|;
>   
> +    $seuser = `id -Z`;
> +    chop($seuser);
> +    $seuser =~ s|^(\w+):.*$|$1|;

Is chop actually needed here?  My perl is a little rusty, so there may 
be some perl regex-y reason, but you're discarding everything after the 
first ":" anyways.

-Daniel

> +
>       $isnfs = `stat -f --print %T $basedir`;
>   
>       # check if kernel supports overlayfs and SELinux labeling
> @@ -92,7 +96,7 @@ sub test_4_0 {
>       $output = getfilecon("$basedir/container1/upper/writefile");
>   
>       # Newly created writefile should have s0 MCS Label since it was copied up
> -    ok( $output eq "unconfined_u:object_r:test_overlay_files_rwx_t:s0" );
> +    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0" );
>   }
>   
>   sub test_4_0_ctx {
> @@ -100,8 +104,7 @@ sub test_4_0_ctx {
>       $output = getfilecon("$basedir/container1/upper/writefile");
>   
>       # Newly created writefile should have s0 MCS Label since it was copied up
> -    ok( $output eq
> -          "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
> +    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
>   }
>   
>   sub test_5 {
> @@ -127,8 +130,7 @@ sub test_5_1 {
>       $output = getfilecon("$basedir/container1/upper/newdir");
>   
>       # Newly created writedir should have s0:c10,c20 since it was created new
> -    ok( $output eq
> -          "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
> +    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
>   }
>   
>   sub test_5_2 {
> @@ -146,8 +148,7 @@ sub test_5_3 {
>       $output = getfilecon("$basedir/container1/upper/newdir/touchlink");
>   
>       # Newly created writelink should have s0:c10,c20 since it was created new
> -    ok( $output eq
> -          "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
> +    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
>   }
>   
>   sub test_6 {
> @@ -173,7 +174,7 @@ sub test_7_0 {
>       $output = getfilecon("$basedir/container1/upper/writedir/bar");
>   
>       # Newly created bar should have s0:c10,c20 since it was created new
> -    ok( $output eq "unconfined_u:object_r:test_overlay_files_rwx_t:s0" );
> +    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0" );
>   }
>   
>   sub test_7_0_ctx {
> @@ -181,8 +182,7 @@ sub test_7_0_ctx {
>       $output = getfilecon("$basedir/container1/upper/writedir/bar");
>   
>       # Newly created bar should have s0:c10,c20 since it was created new
> -    ok( $output eq
> -          "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
> +    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
>   }
>   
>   sub test_7_1 {
> @@ -200,7 +200,7 @@ sub test_7_1_0 {
>       $output = getfilecon("$basedir/container1/upper/writedir/writelink");
>   
>       # Newly created writelink should have s0:c10,c20 since it was created new
> -    ok( $output eq "unconfined_u:object_r:test_overlay_files_rwx_t:s0" );
> +    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0" );
>   }
>   
>   sub test_7_1_0_ctx {
> @@ -208,8 +208,7 @@ sub test_7_1_0_ctx {
>       $output = getfilecon("$basedir/container1/upper/writedir/writelink");
>   
>       # Newly created writelink should have s0:c10,c20 since it was created new
> -    ok( $output eq
> -          "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
> +    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
>   }
>   
>   sub test_7_2 {
> @@ -445,7 +444,7 @@ sub test_42 {
>   
>       # Newly created writeout should have s0:c10,c20 since it was created new
>       ok( $output eq
> -          "unconfined_u:object_r:test_overlay_transition_files_t:s0:c10,c20" );
> +          "$seuser:object_r:test_overlay_transition_files_t:s0:c10,c20" );
>   }
>   
>   sub test_42_ctx {
> @@ -453,8 +452,7 @@ sub test_42_ctx {
>       $output = getfilecon("$basedir/container1/upper/transition");
>   
>       # Newly created writeout should have s0:c10,c20 since it was created new
> -    ok( $output eq
> -          "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
> +    ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" );
>   }
>   
>   sub test_43 {
> @@ -822,7 +820,7 @@ sub nocontext_test {
>   sub context_test {
>   
>       cleanup();
> -    $context = "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20";
> +    $context = "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20";
>       print "\n\n=====================================================\n";
>       print "Testing mounting overlayfs with context switch\n";
>       print "context=$context\n";
> @@ -943,7 +941,7 @@ sub context_test {
>   sub context_rot_t_test {
>   
>       cleanup();
> -    $context = "unconfined_u:object_r:test_overlay_files_ro_t:s0:c10,c20";
> +    $context = "$seuser:object_r:test_overlay_files_ro_t:s0:c10,c20";
>       print "\n\n=====================================================\n";
>       print "Testing mounting overlayfs with context switch\n";
>       print "context=$context\n";

Re: [PATCH testsuite 08/24] policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy

[Ondrej Mosnacek]

On Tue, Aug 2, 2022 at 3:55 PM Daniel Burgener
<dburgener@linux.microsoft.com> wrote:
> On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote:
> > This is good to have for pretty much all domains, so remove the
> > individual calls and move it to test_general.te.
> >
>
> For whatever reason, test_sysnice.te uses
>
> domain_transition_pattern(sysadm_t, test_file_t, setnicedomain)
>
> instead of userdom_sysadm_entry_spec_domtrans_to().  I think the access
> added in the global attribute here covers that and the
> domain_transition_pattern() there can be deleted as well.
>
> Between that and the change to test_setnice.te in Patch 9, this comment
> above those two lines seems obsolete and can probably be deleted:
>
> # Allow all of these domains to be entered from sysadm domain
> # via a shell script in the test directory or by....]

Oh, true... I did carefully search and remove all individual
references to unconfined* but not sysadm*. I'll try to clean those up,
too.

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.

Re: [PATCH testsuite 21/24] tests/overlay: don't hard-code SELinux user of the caller

[Ondrej Mosnacek]

On Tue, Aug 2, 2022 at 7:16 PM Daniel Burgener
<dburgener@linux.microsoft.com> wrote:
> On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote:
> > We want to allow the testsuite caller to be other than unconfined, so
> > extract the user from current context and use it instead of hard-coding
> > unconfined_u.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> >   tests/overlay/setup-overlay |  2 +-
> >   tests/overlay/test          | 34 ++++++++++++++++------------------
> >   2 files changed, 17 insertions(+), 19 deletions(-)
> >
> > diff --git a/tests/overlay/setup-overlay b/tests/overlay/setup-overlay
> > index 4fcd023..3f33499 100755
> > --- a/tests/overlay/setup-overlay
> > +++ b/tests/overlay/setup-overlay
> > @@ -41,7 +41,7 @@ setup () {
> >
> >       # Create upper, work, and overlay directories per container.
> >       mkdir -p $BASEDIR/container1/upper $BASEDIR/container1/work $BASEDIR/container1/merged
> > -    chcon -R unconfined_u:object_r:test_overlay_files_ro_t:s0:c10,c20 $BASEDIR/container1
> > +    chcon -R -t test_overlay_files_ro_t -l s0:c10,c20 $BASEDIR/container1
> >
> >       # Label the container directories to match the container context.
> >       # This is simply to ensure correct label inheritance on new file
> > diff --git a/tests/overlay/test b/tests/overlay/test
> > index 2b28c47..c8367dd 100755
> > --- a/tests/overlay/test
> > +++ b/tests/overlay/test
> > @@ -5,6 +5,10 @@ BEGIN {
> >       $basedir = $0;
> >       $basedir =~ s|(.*)/[^/]*|$1|;
> >
> > +    $seuser = `id -Z`;
> > +    chop($seuser);
> > +    $seuser =~ s|^(\w+):.*$|$1|;
>
> Is chop actually needed here?  My perl is a little rusty, so there may
> be some perl regex-y reason, but you're discarding everything after the
> first ":" anyways.

Yeah, it's actually not needed, but I'd rather leave it there to
document that one needs to account for the line ending in the initial
value. Otherwise people changing the regex in the future may get
bitten by it.

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.

Re: [PATCH testsuite 11/24] test_general.te: move sysadm-related rules into an optional block

[Ondrej Mosnacek]

On Tue, Aug 2, 2022 at 4:03 PM Daniel Burgener
<dburgener@linux.microsoft.com> wrote:
> On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote:
> > That should allow running selinux-testsuite with the sysadm module
> > disabled.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> >   policy/test_global.te | 26 ++++++++++++++------------
> >   1 file changed, 14 insertions(+), 12 deletions(-)
> >
> > diff --git a/policy/test_global.te b/policy/test_global.te
> > index aceac48..3862ee7 100644
> > --- a/policy/test_global.te
> > +++ b/policy/test_global.te
> > @@ -25,12 +25,21 @@ optional_policy(`
> >       dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh };
> >   ')
> >
> > -gen_require(`
> > -     role sysadm_r;
> > -')
> > +optional_policy(`
> > +     gen_require(`
> > +             role sysadm_r;
> > +     ')
> > +
> > +     # Authorize sysadm_r for the test domains.
> > +     role sysadm_r types testsuite_domain;
> >
> > -# Authorize sysadm_r for the test domains.
> > -role sysadm_r types testsuite_domain;
> > +     # Allow the test domain to be entered from sysadm_t
> > +     sysadm_entry_spec_domtrans_to(testsuite_domain)
> > +
> > +     # Let sysadm_t use runcon to run the test programs in various domains.
> > +     #allow sysadm_t self:process setexec;
> > +     #selinux_get_fs_mount(sysadm_t)
> > +')
>
> These commented out rules can probably just be removed entirely instead
> of being moved into the optional block?

Probably, but I didn't want to think about it and just preserved the
fossils :) I'll take a closer look and possibly remove them in a
separate commit.

--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.

Re: [PATCH testsuite 08/24] policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy

[Ondrej Mosnacek]

On Wed, Aug 3, 2022 at 10:53 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Tue, Aug 2, 2022 at 3:55 PM Daniel Burgener
> <dburgener@linux.microsoft.com> wrote:
> > On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote:
> > > This is good to have for pretty much all domains, so remove the
> > > individual calls and move it to test_general.te.
> > >
> >
> > For whatever reason, test_sysnice.te uses
> >
> > domain_transition_pattern(sysadm_t, test_file_t, setnicedomain)
> >
> > instead of userdom_sysadm_entry_spec_domtrans_to().  I think the access
> > added in the global attribute here covers that and the
> > domain_transition_pattern() there can be deleted as well.
> >
> > Between that and the change to test_setnice.te in Patch 9, this comment
> > above those two lines seems obsolete and can probably be deleted:
> >
> > # Allow all of these domains to be entered from sysadm domain
> > # via a shell script in the test directory or by....]
>
> Oh, true... I did carefully search and remove all individual
> references to unconfined* but not sysadm*. I'll try to clean those up,
> too.

OK, I pushed a new version (see the GitHub PR) with sysadm* references
removed + corecmd_* rules also moved to general policy + some groups
of superfluous macro calls removed as well. There are probably still
some small cleanup opportunities left, but this is where I'm going to
stop for now.

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.

Re: [PATCH testsuite 08/24] policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy

[Daniel Burgener]

On 8/4/2022 7:54 AM, Ondrej Mosnacek wrote:
> On Wed, Aug 3, 2022 at 10:53 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>> On Tue, Aug 2, 2022 at 3:55 PM Daniel Burgener
>> <dburgener@linux.microsoft.com> wrote:
>>> On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote:
>>>> This is good to have for pretty much all domains, so remove the
>>>> individual calls and move it to test_general.te.
>>>>
>>>
>>> For whatever reason, test_sysnice.te uses
>>>
>>> domain_transition_pattern(sysadm_t, test_file_t, setnicedomain)
>>>
>>> instead of userdom_sysadm_entry_spec_domtrans_to().  I think the access
>>> added in the global attribute here covers that and the
>>> domain_transition_pattern() there can be deleted as well.
>>>
>>> Between that and the change to test_setnice.te in Patch 9, this comment
>>> above those two lines seems obsolete and can probably be deleted:
>>>
>>> # Allow all of these domains to be entered from sysadm domain
>>> # via a shell script in the test directory or by....]
>>
>> Oh, true... I did carefully search and remove all individual
>> references to unconfined* but not sysadm*. I'll try to clean those up,
>> too.
> 
> OK, I pushed a new version (see the GitHub PR) with sysadm* references
> removed + corecmd_* rules also moved to general policy + some groups
> of superfluous macro calls removed as well. There are probably still
> some small cleanup opportunities left, but this is where I'm going to
> stop for now.
> 

Awesome.  I'll aim to take a look through the updated github PR today or 
tomorrow and hopefully add my +1.

-Daniel

Re: [PATCH testsuite 00/24] Clean up testsuite policy and support running as sysadm_t

[Ondrej Mosnacek]

On Mon, Aug 1, 2022 at 10:02 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Fri, Jul 29, 2022 at 2:27 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > On Fri, Jul 29, 2022 at 2:02 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > >
> > > This series aim for two things:
> > > 1. Refactor the policy so that it is easier to work with.
> > > 2. Leverage the refactoring to fully support running the testsuite
> > >    as sysadm_u:sysadm_r:sysadm_t.
> > >
> > > The gist of this work lies in unifying how test domains are defined,
> > > deduplicating the various boilerplate spread out all across the
> > > individual files (and not even used consistently), and in abstracting
> > > the policy caller domain/role away from the individual test policies
> > > into test_general.te. Some tests also had to be massaged to not
> > > hard-code unconfined_* and be generic against the context of the
> > > testsuite caller.
> > >
> > > The series also extends the CI to test running the testsuite as sysadm_*
> > > and also verify that no unconfined_t/sysadm_t unexpected denials are
> > > produced (which would usually indicate a missing dontaudit rule in the
> > > testsuite policy).
> >
> > Lol, I got a bounce for patches 4 and 5 because they are too long :D
> > Hopefully the list owners can approve them manually. If not, I'll
> > submit this series as a GitHub PR and post a link here.
>
> The patches are still not there, so opened a pull request:
> https://github.com/SELinuxProject/selinux-testsuite/pull/82
>
> One can fetch the contents of the PR in the git-format-patch format
> through the following URL:
> https://github.com/SELinuxProject/selinux-testsuite/pull/82.patch

This is just a note that I have merged the PR now.

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.