diff mbox series

[testsuite,09/24] policy: move miscfiles_domain_entry_test_files() to general policy

Message ID 20220729120229.207584-10-omosnace@redhat.com (mailing list archive)
State Superseded
Delegated to: Ondrej Mosnáček
Headers show
Series Clean up testsuite policy and support running as sysadm_t | expand

Commit Message

Ondrej Mosnacek July 29, 2022, 12:02 p.m. UTC 
This is good to have for pretty much all domains, so remove the
individual calls and move it to test_general.te.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_binder.te                | 5 -----
 policy/test_binder_bpf.te            | 5 -----
 policy/test_bounds.te                | 1 -
 policy/test_bpf.te                   | 5 -----
 policy/test_cap_userns.te            | 1 -
 policy/test_capable_file.te          | 1 -
 policy/test_dyntrace.te              | 1 -
 policy/test_dyntrans.te              | 4 ----
 policy/test_execshare.te             | 3 ---
 policy/test_exectrace.te             | 3 ---
 policy/test_extended_socket_class.te | 3 ---
 policy/test_fdreceive.te             | 3 ---
 policy/test_fdreceive_bpf.te         | 3 ---
 policy/test_file.te                  | 3 ---
 policy/test_filesystem.te            | 5 -----
 policy/test_global.te                | 4 +++-
 policy/test_ibendport.te             | 3 ---
 policy/test_ibpkey.te                | 3 ---
 policy/test_inet_socket.te           | 3 ---
 policy/test_inherit.te               | 3 ---
 policy/test_ioctl.te                 | 1 -
 policy/test_ipc.te                   | 1 -
 policy/test_key_socket.te            | 5 -----
 policy/test_keys.te                  | 5 -----
 policy/test_mmap.te                  | 3 ---
 policy/test_module_load.te           | 5 -----
 policy/test_mqueue.te                | 3 ---
 policy/test_netlink_socket.te        | 3 ---
 policy/test_notify.te                | 2 --
 policy/test_open.te                  | 3 ---
 policy/test_perf_event.te            | 5 -----
 policy/test_prlimit.te               | 7 -------
 policy/test_ptrace.te                | 4 ----
 policy/test_sctp.te                  | 5 -----
 policy/test_setnice.te               | 1 -
 policy/test_sigkill.te               | 1 -
 policy/test_task_create.te           | 5 -----
 policy/test_task_getpgid.te          | 3 ---
 policy/test_task_getsched.te         | 3 ---
 policy/test_task_getsid.te           | 3 ---
 policy/test_task_setpgid.te          | 3 ---
 policy/test_task_setsched.te         | 3 ---
 policy/test_tun_tap.te               | 5 -----
 policy/test_unix_socket.te           | 3 ---
 policy/test_userfaultfd.te           | 3 ---
 policy/test_vsock_socket.te          | 3 ---
 policy/test_watchkey.te              | 5 -----
 47 files changed, 3 insertions(+), 152 deletions(-)

Comments

Daniel Burgener Aug. 2, 2022, 1:58 p.m. UTC | #1 
On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote:
> This is good to have for pretty much all domains, so remove the
> individual calls and move it to test_general.te.
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>   policy/test_binder.te                | 5 -----
>   policy/test_binder_bpf.te            | 5 -----
>   policy/test_bounds.te                | 1 -
>   policy/test_bpf.te                   | 5 -----
>   policy/test_cap_userns.te            | 1 -
>   policy/test_capable_file.te          | 1 -
>   policy/test_dyntrace.te              | 1 -
>   policy/test_dyntrans.te              | 4 ----
>   policy/test_execshare.te             | 3 ---
>   policy/test_exectrace.te             | 3 ---
>   policy/test_extended_socket_class.te | 3 ---
>   policy/test_fdreceive.te             | 3 ---
>   policy/test_fdreceive_bpf.te         | 3 ---
>   policy/test_file.te                  | 3 ---
>   policy/test_filesystem.te            | 5 -----
>   policy/test_global.te                | 4 +++-
>   policy/test_ibendport.te             | 3 ---
>   policy/test_ibpkey.te                | 3 ---
>   policy/test_inet_socket.te           | 3 ---
>   policy/test_inherit.te               | 3 ---
>   policy/test_ioctl.te                 | 1 -
>   policy/test_ipc.te                   | 1 -
>   policy/test_key_socket.te            | 5 -----
>   policy/test_keys.te                  | 5 -----
>   policy/test_mmap.te                  | 3 ---
>   policy/test_module_load.te           | 5 -----
>   policy/test_mqueue.te                | 3 ---
>   policy/test_netlink_socket.te        | 3 ---
>   policy/test_notify.te                | 2 --
>   policy/test_open.te                  | 3 ---
>   policy/test_perf_event.te            | 5 -----
>   policy/test_prlimit.te               | 7 -------
>   policy/test_ptrace.te                | 4 ----
>   policy/test_sctp.te                  | 5 -----
>   policy/test_setnice.te               | 1 -
>   policy/test_sigkill.te               | 1 -
>   policy/test_task_create.te           | 5 -----
>   policy/test_task_getpgid.te          | 3 ---
>   policy/test_task_getsched.te         | 3 ---
>   policy/test_task_getsid.te           | 3 ---
>   policy/test_task_setpgid.te          | 3 ---
>   policy/test_task_setsched.te         | 3 ---
>   policy/test_tun_tap.te               | 5 -----
>   policy/test_unix_socket.te           | 3 ---
>   policy/test_userfaultfd.te           | 3 ---
>   policy/test_vsock_socket.te          | 3 ---
>   policy/test_watchkey.te              | 5 -----
>   47 files changed, 3 insertions(+), 152 deletions(-)
> 
> diff --git a/policy/test_binder.te b/policy/test_binder.te
> index 096c467..4c7974a 100644
> --- a/policy/test_binder.te
> +++ b/policy/test_binder.te
> @@ -94,8 +94,3 @@ allow test_binder_client_no_transfer_t test_binder_mgr_t:binder { call };
>   allow test_binder_client_no_transfer_t test_binder_provider_t:binder { call impersonate };
>   allow test_binder_client_no_transfer_t device_t:chr_file { getattr ioctl open read write };
>   allow_map(test_binder_client_no_transfer_t, device_t, chr_file)
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(binderdomain)
> diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te
> index 2d91af2..fa79320 100644
> --- a/policy/test_binder_bpf.te
> +++ b/policy/test_binder_bpf.te
> @@ -57,8 +57,3 @@ allow test_binder_client_no_bpf_perm_t test_binder_bpf_mgr_t:binder { call };
>   allow test_binder_client_no_bpf_perm_t test_binder_bpf_provider_t:fd { use };
>   allow test_binder_client_no_bpf_perm_t device_t:chr_file { getattr ioctl open read write };
>   allow_map(test_binder_client_no_bpf_perm_t, device_t, chr_file)
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(binderbpfdomain)
> diff --git a/policy/test_bounds.te b/policy/test_bounds.te
> index 60fbd0b..d132d8a 100644
> --- a/policy/test_bounds.te
> +++ b/policy/test_bounds.te
> @@ -63,5 +63,4 @@ allow test_bounds_child_domain test_bounds_file_green_t : file { getattr setattr
>   allow test_bounds_child_domain test_bounds_file_blue_t : file { getattr setattr };
>   
>   # Allow all of these domains to be entered from sysadm domain
> -miscfiles_domain_entry_test_files(test_bounds_domain)
>   sysadm_entry_spec_domtrans(test_bounds_domain)
> diff --git a/policy/test_bpf.te b/policy/test_bpf.te
> index fb21c29..5eab0bd 100644
> --- a/policy/test_bpf.te
> +++ b/policy/test_bpf.te
> @@ -57,8 +57,3 @@ typeattribute test_bpf_deny_prog_run_t bpfdomain;
>   allow test_bpf_deny_prog_run_t self:process { setrlimit };
>   allow test_bpf_deny_prog_run_t self:capability { sys_resource sys_admin };
>   allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load };
> -
> -#
> -############ Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(bpfdomain)
> diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
> index fa90528..cfa510c 100644
> --- a/policy/test_cap_userns.te
> +++ b/policy/test_cap_userns.te
> @@ -19,7 +19,6 @@ testsuite_domain_type(test_no_cap_userns_t)
>   typeattribute test_no_cap_userns_t capusernsdomain;
>   
>   # Rules common to both domains.
> -miscfiles_domain_entry_test_files(capusernsdomain)
>   corecmd_exec_bin(capusernsdomain)
>   
>   # linux >= v5.12 needs setfcap to map UID 0
> diff --git a/policy/test_capable_file.te b/policy/test_capable_file.te
> index 9ce9487..2383f6e 100644
> --- a/policy/test_capable_file.te
> +++ b/policy/test_capable_file.te
> @@ -39,7 +39,6 @@ libs_exec_ld_so(capabledomain)
>   libs_exec_lib_files(capabledomain)
>   
>   # Allow test_file_t and bin_t to be entered from sysadm role
> -miscfiles_domain_entry_test_files(capabledomain)
>   corecmd_bin_entry_type(capabledomain)
>   sysadm_bin_spec_domtrans_to(capabledomain)
>   
> diff --git a/policy/test_dyntrace.te b/policy/test_dyntrace.te
> index 0a598a4..09f983a 100644
> --- a/policy/test_dyntrace.te
> +++ b/policy/test_dyntrace.te
> @@ -25,7 +25,6 @@ testsuite_domain_type(test_dyntrace_notchild_t)
>   typeattribute test_dyntrace_notchild_t dyntracedomain;
>   
>   # Allow test_files_t to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(dyntracedomain)
>   miscfiles_exec_test_files(dyntracedomain)
>   
>   # Grant the necessary permissions for the child domain.
> diff --git a/policy/test_dyntrans.te b/policy/test_dyntrans.te
> index e4110c5..73fe77d 100644
> --- a/policy/test_dyntrans.te
> +++ b/policy/test_dyntrans.te
> @@ -23,7 +23,3 @@ typeattribute test_dyntrans_todomain_t dyntransdomain;
>   
>   # Allow the fromdomain to dyntrans to the new domain.
>   allow test_dyntrans_fromdomain_t test_dyntrans_todomain_t:process dyntransition;
> -
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(dyntransdomain)
> -
> diff --git a/policy/test_execshare.te b/policy/test_execshare.te
> index 22ed09f..c127662 100644
> --- a/policy/test_execshare.te
> +++ b/policy/test_execshare.te
> @@ -20,9 +20,6 @@ type test_execshare_notchild_t;
>   testsuite_domain_type(test_execshare_notchild_t);
>   typeattribute test_execshare_notchild_t execsharedomain;
>   
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(execsharedomain)
> -
>   # Grant the necessary permissions for the child domain.
>   domain_entry_file_spec_domtrans(test_execshare_parent_t, test_execshare_child_t)
>   allow test_execshare_parent_t test_execshare_child_t:fd use;
> diff --git a/policy/test_exectrace.te b/policy/test_exectrace.te
> index 302ba80..d5b74ad 100644
> --- a/policy/test_exectrace.te
> +++ b/policy/test_exectrace.te
> @@ -23,9 +23,6 @@ type test_exectrace_notchild_t;
>   testsuite_domain_type(test_exectrace_notchild_t)
>   typeattribute test_exectrace_notchild_t exectracedomain;
>   
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(exectracedomain)
> -
>   # Grant the necessary permissions for the child domain.
>   domain_entry_file_spec_domtrans(test_exectrace_parent_t, test_exectrace_child_t)
>   allow test_exectrace_parent_t test_exectrace_child_t:fd use;
> diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te
> index 681a71d..c8840b4 100644
> --- a/policy/test_extended_socket_class.te
> +++ b/policy/test_extended_socket_class.te
> @@ -54,6 +54,3 @@ extended_socket_class_test(alg_socket, socket)
>   
>   # Trigger kernel module auto-loading of the network protocol implementations.
>   kernel_request_load_module(extsocktestdomain)
> -
> -# Entry into the test domains via the test program.
> -miscfiles_domain_entry_test_files(extsocktestdomain)
> diff --git a/policy/test_fdreceive.te b/policy/test_fdreceive.te
> index 9987503..df9e974 100644
> --- a/policy/test_fdreceive.te
> +++ b/policy/test_fdreceive.te
> @@ -30,9 +30,6 @@ type test_fdreceive_server_t;
>   testsuite_domain_type(test_fdreceive_server_t);
>   typeattribute test_fdreceive_server_t fdreceivedomain;
>   
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(fdreceivedomain)
> -
>   # Grant the necessary permissions for the server domain.
>   ## Create the Unix domain socket file.
>   allow test_fdreceive_server_t test_file_t:dir rw_dir_perms;
> diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te
> index 264a703..fd633ae 100644
> --- a/policy/test_fdreceive_bpf.te
> +++ b/policy/test_fdreceive_bpf.te
> @@ -48,6 +48,3 @@ allow test_fdreceive_bpf_client3_t self:process { setrlimit };
>   # Server side rules:
>   allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use };
>   allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write };
> -
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(fdreceivebpfdomain)
> diff --git a/policy/test_file.te b/policy/test_file.te
> index 9acc211..5bb0398 100644
> --- a/policy/test_file.te
> +++ b/policy/test_file.te
> @@ -53,9 +53,6 @@ libs_use_shared_libs(fileopdomain)
>   libs_exec_ld_so(fileopdomain)
>   libs_exec_lib_files(fileopdomain)
>   
> -# Allow all of these domains to be entered from sysadm domain
> -miscfiles_domain_entry_test_files(fileopdomain)
> -
>   corecmd_bin_entry_type(fileopdomain)
>   sysadm_bin_spec_domtrans_to(fileopdomain)
>   
> diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
> index fd06d5d..5de489c 100644
> --- a/policy/test_filesystem.te
> +++ b/policy/test_filesystem.te
> @@ -408,8 +408,3 @@ allow test_filesystem_no_mount_t dosfs_t:filesystem { associate };
>   allow test_filesystem_no_remount_t dosfs_t:filesystem { associate };
>   allow test_filesystem_no_unmount_t dosfs_t:filesystem { associate };
>   allow test_move_mount_no_mounton_t dosfs_t:filesystem { associate };
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(filesystemdomain)
> diff --git a/policy/test_global.te b/policy/test_global.te
> index 5ef3b02..667c272 100644
> --- a/policy/test_global.te
> +++ b/policy/test_global.te
> @@ -51,8 +51,10 @@ allow testsuite_domain self:capability { dac_override dac_read_search };
>   #allow sysadm_t self:process setexec;
>   #selinux_get_fs_mount(sysadm_t)
>   
> -# Let all test domains read test directories and files.
> +# Let all test domains read test directories and files and to use test
> +# files as entry points.
>   miscfiles_read_test_files(testsuite_domain)
> +miscfiles_domain_entry_test_files(testsuite_domain)
>   
>   # Let the test domains set their current, exec and fscreate contexts.
>   allow testsuite_domain self:process setcurrent;
> diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
> index a403be0..ccfea28 100644
> --- a/policy/test_ibendport.te
> +++ b/policy/test_ibendport.te
> @@ -29,6 +29,3 @@ corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
>   ')
>   
>   allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_subnet;
> -
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(ibendportdomain)
> diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te
> index de0f5e1..863ff16 100644
> --- a/policy/test_ibpkey.te
> +++ b/policy/test_ibpkey.te
> @@ -22,6 +22,3 @@ corenet_ib_pkey(test_ibpkey_t)
>   ifdef(`corenet_ib_access_unlabeled_pkeys',`
>   corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t)
>   ')
> -
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(ibpkeydomain)
> diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te
> index dd0e83c..5feb801 100644
> --- a/policy/test_inet_socket.te
> +++ b/policy/test_inet_socket.te
> @@ -158,6 +158,3 @@ allow test_inet_client_t test_server_packet_t:packet { send recv };
>   # Send/recv unlabeled packets.
>   kernel_sendrecv_unlabeled_packets(inetsocketdomain)
>   kernel_recvfrom_unlabeled_peer(inetsocketdomain)
> -
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(inetsocketdomain)
> diff --git a/policy/test_inherit.te b/policy/test_inherit.te
> index 15ab8fc..da26ea3 100644
> --- a/policy/test_inherit.te
> +++ b/policy/test_inherit.te
> @@ -31,9 +31,6 @@ type test_inherit_nowrite_t;
>   testsuite_domain_type(test_inherit_nowrite_t)
>   typeattribute test_inherit_nowrite_t inheritdomain;
>   
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(inheritdomain)
> -
>   # Grant the necessary permissions for the parent domain.
>   allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms;
>   
> diff --git a/policy/test_ioctl.te b/policy/test_ioctl.te
> index 955695d..dc645f4 100644
> --- a/policy/test_ioctl.te
> +++ b/policy/test_ioctl.te
> @@ -30,7 +30,6 @@ libs_exec_lib_files(ioctldomain)
>   
>   # Allow all of these domains to be entered from sysadm domain
>   # via a shell script in the test directory or by....
> -miscfiles_domain_entry_test_files(ioctldomain)
>   corecmd_bin_entry_type(ioctldomain)
>   sysadm_bin_spec_domtrans_to(ioctldomain)
>   
> diff --git a/policy/test_ipc.te b/policy/test_ipc.te
> index f68d35c..21d997b 100644
> --- a/policy/test_ipc.te
> +++ b/policy/test_ipc.te
> @@ -67,7 +67,6 @@ fs_rw_tmpfs_files(ipcdomain)
>   
>   # Allow all of these domains to be entered from user domains.
>   # via a shell script in the test directory or by another program.
> -miscfiles_domain_entry_test_files(ipcdomain)
>   corecmd_bin_entry_type(ipcdomain)
>   sysadm_bin_spec_domtrans_to(ipcdomain)
>   
> diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te
> index 2763472..27a1545 100644
> --- a/policy/test_key_socket.te
> +++ b/policy/test_key_socket.te
> @@ -48,10 +48,5 @@ typeattribute test_key_sock_no_read_t keysockdomain;
>   allow test_key_sock_no_read_t self:capability { net_admin };
>   allow test_key_sock_no_read_t self:key_socket { create write setopt };
>   
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(keysockdomain)
> -
>   # For CONFIG_NET_KEY=m
>   kernel_request_load_module(keysockdomain)
> diff --git a/policy/test_keys.te b/policy/test_keys.te
> index de1b46c..250950e 100644
> --- a/policy/test_keys.te
> +++ b/policy/test_keys.te
> @@ -164,8 +164,3 @@ typeattribute test_request_keys_no_link_t keydomain;
>   
>   allow test_request_keys_no_link_t self:key { create write search read view link setattr };
>   allow test_request_keys_no_link_t test_keyring_service_t:key { read write search view setattr };
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(keydomain)
> diff --git a/policy/test_mmap.te b/policy/test_mmap.te
> index eb59dbe..d0850cc 100644
> --- a/policy/test_mmap.te
> +++ b/policy/test_mmap.te
> @@ -152,6 +152,3 @@ testsuite_domain_type(test_no_execmod_t)
>   typeattribute test_no_execmod_t mmaptestdomain;
>   allow test_no_execmod_t test_mmap_file_t:file { open read execute };
>   allow_map(test_no_execmod_t, test_mmap_file_t, file)
> -
> -# Allow entrypoint via the test programs.
> -miscfiles_domain_entry_test_files(mmaptestdomain)
> diff --git a/policy/test_module_load.te b/policy/test_module_load.te
> index 770b2dd..a856706 100644
> --- a/policy/test_module_load.te
> +++ b/policy/test_module_load.te
> @@ -41,8 +41,3 @@ allow test_kmodule_deny_module_request_t test_file_t:system { module_load };
>   allow test_kmodule_deny_module_request_t self:system { module_load };
>   allow_lockdown_integrity(test_kmodule_deny_module_request_t)
>   neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request };
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(kmoduledomain)
> diff --git a/policy/test_mqueue.te b/policy/test_mqueue.te
> index ea3fa68..65ffe6d 100644
> --- a/policy/test_mqueue.te
> +++ b/policy/test_mqueue.te
> @@ -55,9 +55,6 @@ type mqop_mqrw_t;
>   files_type(mqop_mqrw_t)
>   
>   
> -# basic permision for all mqopdomains
> -miscfiles_domain_entry_test_files(mqopdomain)
> -
>   corecmd_bin_entry_type(mqopdomain)
>   sysadm_bin_spec_domtrans_to(mqopdomain)
>   
> diff --git a/policy/test_netlink_socket.te b/policy/test_netlink_socket.te
> index 589e372..b6d39c2 100644
> --- a/policy/test_netlink_socket.te
> +++ b/policy/test_netlink_socket.te
> @@ -41,8 +41,5 @@ netlink_socket_test(netlink_crypto_socket)
>   # Common rules for all netlink socket class test domains.
>   #
>   
> -# Entry into the test domains via the test program.
> -miscfiles_domain_entry_test_files(netlinksocktestdomain)
> -
>   # Trigger kernel module auto-loading of the protocol implementations.
>   kernel_request_load_module(netlinksocktestdomain)
> diff --git a/policy/test_notify.te b/policy/test_notify.te
> index 4ffd287..fe60274 100644
> --- a/policy/test_notify.te
> +++ b/policy/test_notify.te
> @@ -73,5 +73,3 @@ testsuite_domain_type(test_rdonly_t)
>   typeattribute test_rdonly_t test_notify_domain;
>   
>   allow test_rdonly_t test_notify_file_t:dir { read open watch };
> -
> -miscfiles_domain_entry_test_files(test_notify_domain)
> diff --git a/policy/test_open.te b/policy/test_open.te
> index 0d662f0..f01a5fe 100644
> --- a/policy/test_open.te
> +++ b/policy/test_open.te
> @@ -28,6 +28,3 @@ type test_append_t;
>   testsuite_domain_type(test_append_t)
>   typeattribute test_append_t test_open_domain;
>   allow test_append_t test_open_file_t:file append_file_perms;
> -
> -# Allow all of these domains to be entered from sysadm domain
> -miscfiles_domain_entry_test_files(test_open_domain)
> diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
> index 8a914ff..5db46cd 100644
> --- a/policy/test_perf_event.te
> +++ b/policy/test_perf_event.te
> @@ -70,8 +70,3 @@ typeattribute test_perf_no_write_t perfdomain;
>   allow test_perf_no_write_t self:capability2 { perfmon };
>   allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read };
>   allow_lockdown_confidentiality(test_perf_no_write_t)
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(perfdomain)
> diff --git a/policy/test_prlimit.te b/policy/test_prlimit.te
> index 4b6a5c8..b0314f3 100644
> --- a/policy/test_prlimit.te
> +++ b/policy/test_prlimit.te
> @@ -36,10 +36,3 @@ spec_domtrans_pattern(test_no_$1_t, test_file_t, test_$1_child_t)
>   
>   prlimit_test(setrlimit)
>   prlimit_test(getrlimit)
> -
> -#
> -# Common rules for all prlimit test domains.
> -#
> -
> -# Entry into the test domains via the test program.
> -miscfiles_domain_entry_test_files(prlimittestdomain)
> diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te
> index f327cc5..8c1d71c 100644
> --- a/policy/test_ptrace.te
> +++ b/policy/test_ptrace.te
> @@ -33,10 +33,6 @@ userdom_search_user_home_dirs(test_ptrace_traced_t)
>   # Let the tracer wait on the traced domain.
>   allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;
>   
> -# Allow all of these domains to be entered from the sysadm domains.
> -# via a program in the test directory.
> -miscfiles_domain_entry_test_files(ptracedomain)
> -
>   # Allow execution of helper programs.
>   corecmd_exec_bin(ptracedomain)
>   domain_exec_all_entry_files(ptracedomain)
> diff --git a/policy/test_sctp.te b/policy/test_sctp.te
> index 7b24b8c..e276153 100644
> --- a/policy/test_sctp.te
> +++ b/policy/test_sctp.te
> @@ -229,8 +229,3 @@ allow sctpsocketdomain proc_net_t:file { read };
>   allow sctpsocketdomain sysctl_net_t:dir { search };
>   allow sctpsocketdomain self:udp_socket { create };
>   allow sctpsocketdomain self:unix_dgram_socket { create ioctl };
> -
> -#
> -############ Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(sctpsocketdomain)
> diff --git a/policy/test_setnice.te b/policy/test_setnice.te
> index 34a2e73..2c34643 100644
> --- a/policy/test_setnice.te
> +++ b/policy/test_setnice.te
> @@ -31,7 +31,6 @@ libs_exec_lib_files(setnicedomain)
>   
>   # Allow all of these domains to be entered from sysadm domain
>   # via a shell script in the test directory or by....
> -miscfiles_domain_entry_test_files(setnicedomain)
>   domain_transition_pattern(sysadm_t, test_file_t, setnicedomain)
>   domain_transition_pattern(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t})
>   allow test_setnice_change_t test_setnice_set_t:fd use;
> diff --git a/policy/test_sigkill.te b/policy/test_sigkill.te
> index 04bed89..1aaa0af 100644
> --- a/policy/test_sigkill.te
> +++ b/policy/test_sigkill.te
> @@ -40,7 +40,6 @@ allow test_kill_signal_t test_kill_server_t:process signal;
>   
>   # Allow all of these domains to be entered from the sysadm domains,
>   # via kill or a program in the test directory.
> -miscfiles_domain_entry_test_files(killdomain)
>   corecmd_bin_entry_type(killdomain)
>   sysadm_bin_spec_domtrans_to(killdomain)

Sorry for splitting these comments across patches 8 and 9.  They kind of 
go with both.  This sysadm_bin_spec_domtrans_to() seems redundant as 
well, and in that case the comment above can probably be 
shortened/reworded to only apply to the corecmd_bin_entry_type()

>   
> diff --git a/policy/test_task_create.te b/policy/test_task_create.te
> index 54acb50..b90b2e3 100644
> --- a/policy/test_task_create.te
> +++ b/policy/test_task_create.te
> @@ -20,8 +20,3 @@ type test_create_no_t;
>   # as it makes the permission effectively unusable in real policy.
>   testsuite_domain_type_minimal(test_create_no_t)
>   typeattribute test_create_no_t test_create_d;
> -
> -# General rules for the test_create_d
> -
> -# Allow domain to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(test_create_d)
> diff --git a/policy/test_task_getpgid.te b/policy/test_task_getpgid.te
> index dad584e..4c499f7 100644
> --- a/policy/test_task_getpgid.te
> +++ b/policy/test_task_getpgid.te
> @@ -24,8 +24,5 @@ type test_getpgid_no_t;
>   testsuite_domain_type(test_getpgid_no_t)
>   typeattribute test_getpgid_no_t test_getpgid_d;
>   
> -# Allow domain to be entered from the sysadm domain
> -miscfiles_domain_entry_test_files(test_getpgid_d)
> -
>   # Give test_getpgid_yes_t the permission needed.
>   allow test_getpgid_yes_t test_getpgid_target_t:process getpgid;
> diff --git a/policy/test_task_getsched.te b/policy/test_task_getsched.te
> index f541d58..98b267f 100644
> --- a/policy/test_task_getsched.te
> +++ b/policy/test_task_getsched.te
> @@ -24,8 +24,5 @@ type test_getsched_no_t;
>   testsuite_domain_type(test_getsched_no_t)
>   typeattribute test_getsched_no_t test_getsched_d;
>   
> -# Allow domain to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(test_getsched_d)
> -
>   # Give test_getsched_yes_t the permission needed.
>   allow test_getsched_yes_t test_getsched_target_t:process getsched;
> diff --git a/policy/test_task_getsid.te b/policy/test_task_getsid.te
> index 8c21d9a..b53d454 100644
> --- a/policy/test_task_getsid.te
> +++ b/policy/test_task_getsid.te
> @@ -24,8 +24,5 @@ type test_getsid_no_t;
>   testsuite_domain_type(test_getsid_no_t)
>   typeattribute test_getsid_no_t test_getsid_d;
>   
> -# Allow domain to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(test_getsid_d)
> -
>   # Give test_getsid_yes_t the permission needed.
>   allow test_getsid_yes_t test_getsid_target_t:process getsession;
> diff --git a/policy/test_task_setpgid.te b/policy/test_task_setpgid.te
> index 25e06d4..bb8afa7 100644
> --- a/policy/test_task_setpgid.te
> +++ b/policy/test_task_setpgid.te
> @@ -15,6 +15,3 @@ typeattribute test_setpgid_yes_t test_setpgid_d;
>   type test_setpgid_no_t;
>   testsuite_domain_type_minimal(test_setpgid_no_t)
>   typeattribute test_setpgid_no_t test_setpgid_d;
> -
> -# Allow domain to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(test_setpgid_d)
> diff --git a/policy/test_task_setsched.te b/policy/test_task_setsched.te
> index 432135e..3e75cf6 100644
> --- a/policy/test_task_setsched.te
> +++ b/policy/test_task_setsched.te
> @@ -26,9 +26,6 @@ type test_setsched_no_t;
>   testsuite_domain_type(test_setsched_no_t)
>   typeattribute test_setsched_no_t test_setsched_d;
>   
> -# Allow domain to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(test_setsched_d)
> -
>   # Allow these domains to execute renice.
>   corecmd_bin_entry_type(test_setsched_d)
>   
> diff --git a/policy/test_tun_tap.te b/policy/test_tun_tap.te
> index e1aef8d..28efc10 100644
> --- a/policy/test_tun_tap.te
> +++ b/policy/test_tun_tap.te
> @@ -91,8 +91,3 @@ allow test_newcon_no_from_tun_tap_t self:tun_socket { relabelto };
>   # For switch back on error:
>   allow test_tun_tap_t test_newcon_no_from_tun_tap_t:fd { use };
>   allow test_newcon_no_from_tun_tap_t test_tun_tap_t:process { dyntransition };
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(tuntapdomain)
> diff --git a/policy/test_unix_socket.te b/policy/test_unix_socket.te
> index 69720f0..f4e9e41 100644
> --- a/policy/test_unix_socket.te
> +++ b/policy/test_unix_socket.te
> @@ -58,6 +58,3 @@ allow test_unix_server_t test_unix_dgram_client_t:unix_dgram_socket sendto;
>   type test_socketpair_t;
>   testsuite_domain_type(test_socketpair_t)
>   typeattribute test_socketpair_t unixsocketdomain;
> -
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(unixsocketdomain)
> diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
> index 5cb7d1c..f5a6613 100644
> --- a/policy/test_userfaultfd.te
> +++ b/policy/test_userfaultfd.te
> @@ -45,6 +45,3 @@ userfaultfd_domain_type(test_noread_uffd_t)
>   
>   # userfaultfd(2) requires CAP_SYS_PTRACE
>   allow test_uffd_domain self:capability { sys_ptrace };
> -
> -# Allow all of these domains to be executed
> -miscfiles_domain_entry_test_files(test_uffd_domain)
> diff --git a/policy/test_vsock_socket.te b/policy/test_vsock_socket.te
> index 4bb989a..dbd47f4 100644
> --- a/policy/test_vsock_socket.te
> +++ b/policy/test_vsock_socket.te
> @@ -42,6 +42,3 @@ vsock_client(noread, connect create getattr getopt setopt shutdown write)
>   vsock_client(nogetattr, connect create getopt setopt read shutdown write)
>   vsock_client(nogetopt, connect create getattr setopt read shutdown write)
>   vsock_client(nosetopt, connect create getattr getopt read shutdown write)
> -
> -# Allow all of these domains to be entered from the sysadm domain.
> -miscfiles_domain_entry_test_files(vsocksocketdomain)
> diff --git a/policy/test_watchkey.te b/policy/test_watchkey.te
> index 101d68a..a85bd20 100644
> --- a/policy/test_watchkey.te
> +++ b/policy/test_watchkey.te
> @@ -15,8 +15,3 @@ allow test_watchkey_t self:key { view };
>   type test_watchkey_no_view_t;
>   testsuite_domain_type(test_watchkey_no_view_t)
>   typeattribute test_watchkey_no_view_t watchkeydomain;
> -
> -#
> -########### Allow these domains to be entered from sysadm domain ############
> -#
> -miscfiles_domain_entry_test_files(watchkeydomain)
diff mbox series

Patch

diff --git a/policy/test_binder.te b/policy/test_binder.te
index 096c467..4c7974a 100644
--- a/policy/test_binder.te
+++ b/policy/test_binder.te
@@ -94,8 +94,3 @@  allow test_binder_client_no_transfer_t test_binder_mgr_t:binder { call };
 allow test_binder_client_no_transfer_t test_binder_provider_t:binder { call impersonate };
 allow test_binder_client_no_transfer_t device_t:chr_file { getattr ioctl open read write };
 allow_map(test_binder_client_no_transfer_t, device_t, chr_file)
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(binderdomain)
diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te
index 2d91af2..fa79320 100644
--- a/policy/test_binder_bpf.te
+++ b/policy/test_binder_bpf.te
@@ -57,8 +57,3 @@  allow test_binder_client_no_bpf_perm_t test_binder_bpf_mgr_t:binder { call };
 allow test_binder_client_no_bpf_perm_t test_binder_bpf_provider_t:fd { use };
 allow test_binder_client_no_bpf_perm_t device_t:chr_file { getattr ioctl open read write };
 allow_map(test_binder_client_no_bpf_perm_t, device_t, chr_file)
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(binderbpfdomain)
diff --git a/policy/test_bounds.te b/policy/test_bounds.te
index 60fbd0b..d132d8a 100644
--- a/policy/test_bounds.te
+++ b/policy/test_bounds.te
@@ -63,5 +63,4 @@  allow test_bounds_child_domain test_bounds_file_green_t : file { getattr setattr
 allow test_bounds_child_domain test_bounds_file_blue_t : file { getattr setattr };
 
 # Allow all of these domains to be entered from sysadm domain
-miscfiles_domain_entry_test_files(test_bounds_domain)
 sysadm_entry_spec_domtrans(test_bounds_domain)
diff --git a/policy/test_bpf.te b/policy/test_bpf.te
index fb21c29..5eab0bd 100644
--- a/policy/test_bpf.te
+++ b/policy/test_bpf.te
@@ -57,8 +57,3 @@  typeattribute test_bpf_deny_prog_run_t bpfdomain;
 allow test_bpf_deny_prog_run_t self:process { setrlimit };
 allow test_bpf_deny_prog_run_t self:capability { sys_resource sys_admin };
 allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load };
-
-#
-############ Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(bpfdomain)
diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te
index fa90528..cfa510c 100644
--- a/policy/test_cap_userns.te
+++ b/policy/test_cap_userns.te
@@ -19,7 +19,6 @@  testsuite_domain_type(test_no_cap_userns_t)
 typeattribute test_no_cap_userns_t capusernsdomain;
 
 # Rules common to both domains.
-miscfiles_domain_entry_test_files(capusernsdomain)
 corecmd_exec_bin(capusernsdomain)
 
 # linux >= v5.12 needs setfcap to map UID 0
diff --git a/policy/test_capable_file.te b/policy/test_capable_file.te
index 9ce9487..2383f6e 100644
--- a/policy/test_capable_file.te
+++ b/policy/test_capable_file.te
@@ -39,7 +39,6 @@  libs_exec_ld_so(capabledomain)
 libs_exec_lib_files(capabledomain)
 
 # Allow test_file_t and bin_t to be entered from sysadm role
-miscfiles_domain_entry_test_files(capabledomain)
 corecmd_bin_entry_type(capabledomain)
 sysadm_bin_spec_domtrans_to(capabledomain)
 
diff --git a/policy/test_dyntrace.te b/policy/test_dyntrace.te
index 0a598a4..09f983a 100644
--- a/policy/test_dyntrace.te
+++ b/policy/test_dyntrace.te
@@ -25,7 +25,6 @@  testsuite_domain_type(test_dyntrace_notchild_t)
 typeattribute test_dyntrace_notchild_t dyntracedomain;
 
 # Allow test_files_t to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(dyntracedomain)
 miscfiles_exec_test_files(dyntracedomain)
 
 # Grant the necessary permissions for the child domain.
diff --git a/policy/test_dyntrans.te b/policy/test_dyntrans.te
index e4110c5..73fe77d 100644
--- a/policy/test_dyntrans.te
+++ b/policy/test_dyntrans.te
@@ -23,7 +23,3 @@  typeattribute test_dyntrans_todomain_t dyntransdomain;
 
 # Allow the fromdomain to dyntrans to the new domain.
 allow test_dyntrans_fromdomain_t test_dyntrans_todomain_t:process dyntransition;
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(dyntransdomain)
-
diff --git a/policy/test_execshare.te b/policy/test_execshare.te
index 22ed09f..c127662 100644
--- a/policy/test_execshare.te
+++ b/policy/test_execshare.te
@@ -20,9 +20,6 @@  type test_execshare_notchild_t;
 testsuite_domain_type(test_execshare_notchild_t);
 typeattribute test_execshare_notchild_t execsharedomain;
 
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(execsharedomain)
-
 # Grant the necessary permissions for the child domain.
 domain_entry_file_spec_domtrans(test_execshare_parent_t, test_execshare_child_t)
 allow test_execshare_parent_t test_execshare_child_t:fd use;
diff --git a/policy/test_exectrace.te b/policy/test_exectrace.te
index 302ba80..d5b74ad 100644
--- a/policy/test_exectrace.te
+++ b/policy/test_exectrace.te
@@ -23,9 +23,6 @@  type test_exectrace_notchild_t;
 testsuite_domain_type(test_exectrace_notchild_t)
 typeattribute test_exectrace_notchild_t exectracedomain;
 
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(exectracedomain)
-
 # Grant the necessary permissions for the child domain.
 domain_entry_file_spec_domtrans(test_exectrace_parent_t, test_exectrace_child_t)
 allow test_exectrace_parent_t test_exectrace_child_t:fd use;
diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te
index 681a71d..c8840b4 100644
--- a/policy/test_extended_socket_class.te
+++ b/policy/test_extended_socket_class.te
@@ -54,6 +54,3 @@  extended_socket_class_test(alg_socket, socket)
 
 # Trigger kernel module auto-loading of the network protocol implementations.
 kernel_request_load_module(extsocktestdomain)
-
-# Entry into the test domains via the test program.
-miscfiles_domain_entry_test_files(extsocktestdomain)
diff --git a/policy/test_fdreceive.te b/policy/test_fdreceive.te
index 9987503..df9e974 100644
--- a/policy/test_fdreceive.te
+++ b/policy/test_fdreceive.te
@@ -30,9 +30,6 @@  type test_fdreceive_server_t;
 testsuite_domain_type(test_fdreceive_server_t);
 typeattribute test_fdreceive_server_t fdreceivedomain;
 
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(fdreceivedomain)
-
 # Grant the necessary permissions for the server domain.
 ## Create the Unix domain socket file.
 allow test_fdreceive_server_t test_file_t:dir rw_dir_perms;
diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te
index 264a703..fd633ae 100644
--- a/policy/test_fdreceive_bpf.te
+++ b/policy/test_fdreceive_bpf.te
@@ -48,6 +48,3 @@  allow test_fdreceive_bpf_client3_t self:process { setrlimit };
 # Server side rules:
 allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use };
 allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write };
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(fdreceivebpfdomain)
diff --git a/policy/test_file.te b/policy/test_file.te
index 9acc211..5bb0398 100644
--- a/policy/test_file.te
+++ b/policy/test_file.te
@@ -53,9 +53,6 @@  libs_use_shared_libs(fileopdomain)
 libs_exec_ld_so(fileopdomain)
 libs_exec_lib_files(fileopdomain)
 
-# Allow all of these domains to be entered from sysadm domain
-miscfiles_domain_entry_test_files(fileopdomain)
-
 corecmd_bin_entry_type(fileopdomain)
 sysadm_bin_spec_domtrans_to(fileopdomain)
 
diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
index fd06d5d..5de489c 100644
--- a/policy/test_filesystem.te
+++ b/policy/test_filesystem.te
@@ -408,8 +408,3 @@  allow test_filesystem_no_mount_t dosfs_t:filesystem { associate };
 allow test_filesystem_no_remount_t dosfs_t:filesystem { associate };
 allow test_filesystem_no_unmount_t dosfs_t:filesystem { associate };
 allow test_move_mount_no_mounton_t dosfs_t:filesystem { associate };
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(filesystemdomain)
diff --git a/policy/test_global.te b/policy/test_global.te
index 5ef3b02..667c272 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -51,8 +51,10 @@  allow testsuite_domain self:capability { dac_override dac_read_search };
 #allow sysadm_t self:process setexec;
 #selinux_get_fs_mount(sysadm_t)
 
-# Let all test domains read test directories and files.
+# Let all test domains read test directories and files and to use test
+# files as entry points.
 miscfiles_read_test_files(testsuite_domain)
+miscfiles_domain_entry_test_files(testsuite_domain)
 
 # Let the test domains set their current, exec and fscreate contexts.
 allow testsuite_domain self:process setcurrent;
diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
index a403be0..ccfea28 100644
--- a/policy/test_ibendport.te
+++ b/policy/test_ibendport.te
@@ -29,6 +29,3 @@  corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
 ')
 
 allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_subnet;
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(ibendportdomain)
diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te
index de0f5e1..863ff16 100644
--- a/policy/test_ibpkey.te
+++ b/policy/test_ibpkey.te
@@ -22,6 +22,3 @@  corenet_ib_pkey(test_ibpkey_t)
 ifdef(`corenet_ib_access_unlabeled_pkeys',`
 corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t)
 ')
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(ibpkeydomain)
diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te
index dd0e83c..5feb801 100644
--- a/policy/test_inet_socket.te
+++ b/policy/test_inet_socket.te
@@ -158,6 +158,3 @@  allow test_inet_client_t test_server_packet_t:packet { send recv };
 # Send/recv unlabeled packets.
 kernel_sendrecv_unlabeled_packets(inetsocketdomain)
 kernel_recvfrom_unlabeled_peer(inetsocketdomain)
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(inetsocketdomain)
diff --git a/policy/test_inherit.te b/policy/test_inherit.te
index 15ab8fc..da26ea3 100644
--- a/policy/test_inherit.te
+++ b/policy/test_inherit.te
@@ -31,9 +31,6 @@  type test_inherit_nowrite_t;
 testsuite_domain_type(test_inherit_nowrite_t)
 typeattribute test_inherit_nowrite_t inheritdomain;
 
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(inheritdomain)
-
 # Grant the necessary permissions for the parent domain.
 allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms;
 
diff --git a/policy/test_ioctl.te b/policy/test_ioctl.te
index 955695d..dc645f4 100644
--- a/policy/test_ioctl.te
+++ b/policy/test_ioctl.te
@@ -30,7 +30,6 @@  libs_exec_lib_files(ioctldomain)
 
 # Allow all of these domains to be entered from sysadm domain
 # via a shell script in the test directory or by....
-miscfiles_domain_entry_test_files(ioctldomain)
 corecmd_bin_entry_type(ioctldomain)
 sysadm_bin_spec_domtrans_to(ioctldomain)
 
diff --git a/policy/test_ipc.te b/policy/test_ipc.te
index f68d35c..21d997b 100644
--- a/policy/test_ipc.te
+++ b/policy/test_ipc.te
@@ -67,7 +67,6 @@  fs_rw_tmpfs_files(ipcdomain)
 
 # Allow all of these domains to be entered from user domains.
 # via a shell script in the test directory or by another program.
-miscfiles_domain_entry_test_files(ipcdomain)
 corecmd_bin_entry_type(ipcdomain)
 sysadm_bin_spec_domtrans_to(ipcdomain)
 
diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te
index 2763472..27a1545 100644
--- a/policy/test_key_socket.te
+++ b/policy/test_key_socket.te
@@ -48,10 +48,5 @@  typeattribute test_key_sock_no_read_t keysockdomain;
 allow test_key_sock_no_read_t self:capability { net_admin };
 allow test_key_sock_no_read_t self:key_socket { create write setopt };
 
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(keysockdomain)
-
 # For CONFIG_NET_KEY=m
 kernel_request_load_module(keysockdomain)
diff --git a/policy/test_keys.te b/policy/test_keys.te
index de1b46c..250950e 100644
--- a/policy/test_keys.te
+++ b/policy/test_keys.te
@@ -164,8 +164,3 @@  typeattribute test_request_keys_no_link_t keydomain;
 
 allow test_request_keys_no_link_t self:key { create write search read view link setattr };
 allow test_request_keys_no_link_t test_keyring_service_t:key { read write search view setattr };
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(keydomain)
diff --git a/policy/test_mmap.te b/policy/test_mmap.te
index eb59dbe..d0850cc 100644
--- a/policy/test_mmap.te
+++ b/policy/test_mmap.te
@@ -152,6 +152,3 @@  testsuite_domain_type(test_no_execmod_t)
 typeattribute test_no_execmod_t mmaptestdomain;
 allow test_no_execmod_t test_mmap_file_t:file { open read execute };
 allow_map(test_no_execmod_t, test_mmap_file_t, file)
-
-# Allow entrypoint via the test programs.
-miscfiles_domain_entry_test_files(mmaptestdomain)
diff --git a/policy/test_module_load.te b/policy/test_module_load.te
index 770b2dd..a856706 100644
--- a/policy/test_module_load.te
+++ b/policy/test_module_load.te
@@ -41,8 +41,3 @@  allow test_kmodule_deny_module_request_t test_file_t:system { module_load };
 allow test_kmodule_deny_module_request_t self:system { module_load };
 allow_lockdown_integrity(test_kmodule_deny_module_request_t)
 neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request };
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(kmoduledomain)
diff --git a/policy/test_mqueue.te b/policy/test_mqueue.te
index ea3fa68..65ffe6d 100644
--- a/policy/test_mqueue.te
+++ b/policy/test_mqueue.te
@@ -55,9 +55,6 @@  type mqop_mqrw_t;
 files_type(mqop_mqrw_t)
 
 
-# basic permision for all mqopdomains
-miscfiles_domain_entry_test_files(mqopdomain)
-
 corecmd_bin_entry_type(mqopdomain)
 sysadm_bin_spec_domtrans_to(mqopdomain)
 
diff --git a/policy/test_netlink_socket.te b/policy/test_netlink_socket.te
index 589e372..b6d39c2 100644
--- a/policy/test_netlink_socket.te
+++ b/policy/test_netlink_socket.te
@@ -41,8 +41,5 @@  netlink_socket_test(netlink_crypto_socket)
 # Common rules for all netlink socket class test domains.
 #
 
-# Entry into the test domains via the test program.
-miscfiles_domain_entry_test_files(netlinksocktestdomain)
-
 # Trigger kernel module auto-loading of the protocol implementations.
 kernel_request_load_module(netlinksocktestdomain)
diff --git a/policy/test_notify.te b/policy/test_notify.te
index 4ffd287..fe60274 100644
--- a/policy/test_notify.te
+++ b/policy/test_notify.te
@@ -73,5 +73,3 @@  testsuite_domain_type(test_rdonly_t)
 typeattribute test_rdonly_t test_notify_domain;
 
 allow test_rdonly_t test_notify_file_t:dir { read open watch };
-
-miscfiles_domain_entry_test_files(test_notify_domain)
diff --git a/policy/test_open.te b/policy/test_open.te
index 0d662f0..f01a5fe 100644
--- a/policy/test_open.te
+++ b/policy/test_open.te
@@ -28,6 +28,3 @@  type test_append_t;
 testsuite_domain_type(test_append_t)
 typeattribute test_append_t test_open_domain;
 allow test_append_t test_open_file_t:file append_file_perms;
-
-# Allow all of these domains to be entered from sysadm domain
-miscfiles_domain_entry_test_files(test_open_domain)
diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
index 8a914ff..5db46cd 100644
--- a/policy/test_perf_event.te
+++ b/policy/test_perf_event.te
@@ -70,8 +70,3 @@  typeattribute test_perf_no_write_t perfdomain;
 allow test_perf_no_write_t self:capability2 { perfmon };
 allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read };
 allow_lockdown_confidentiality(test_perf_no_write_t)
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(perfdomain)
diff --git a/policy/test_prlimit.te b/policy/test_prlimit.te
index 4b6a5c8..b0314f3 100644
--- a/policy/test_prlimit.te
+++ b/policy/test_prlimit.te
@@ -36,10 +36,3 @@  spec_domtrans_pattern(test_no_$1_t, test_file_t, test_$1_child_t)
 
 prlimit_test(setrlimit)
 prlimit_test(getrlimit)
-
-#
-# Common rules for all prlimit test domains.
-#
-
-# Entry into the test domains via the test program.
-miscfiles_domain_entry_test_files(prlimittestdomain)
diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te
index f327cc5..8c1d71c 100644
--- a/policy/test_ptrace.te
+++ b/policy/test_ptrace.te
@@ -33,10 +33,6 @@  userdom_search_user_home_dirs(test_ptrace_traced_t)
 # Let the tracer wait on the traced domain.
 allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;
 
-# Allow all of these domains to be entered from the sysadm domains.
-# via a program in the test directory.
-miscfiles_domain_entry_test_files(ptracedomain)
-
 # Allow execution of helper programs.
 corecmd_exec_bin(ptracedomain)
 domain_exec_all_entry_files(ptracedomain)
diff --git a/policy/test_sctp.te b/policy/test_sctp.te
index 7b24b8c..e276153 100644
--- a/policy/test_sctp.te
+++ b/policy/test_sctp.te
@@ -229,8 +229,3 @@  allow sctpsocketdomain proc_net_t:file { read };
 allow sctpsocketdomain sysctl_net_t:dir { search };
 allow sctpsocketdomain self:udp_socket { create };
 allow sctpsocketdomain self:unix_dgram_socket { create ioctl };
-
-#
-############ Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(sctpsocketdomain)
diff --git a/policy/test_setnice.te b/policy/test_setnice.te
index 34a2e73..2c34643 100644
--- a/policy/test_setnice.te
+++ b/policy/test_setnice.te
@@ -31,7 +31,6 @@  libs_exec_lib_files(setnicedomain)
 
 # Allow all of these domains to be entered from sysadm domain
 # via a shell script in the test directory or by....
-miscfiles_domain_entry_test_files(setnicedomain)
 domain_transition_pattern(sysadm_t, test_file_t, setnicedomain)
 domain_transition_pattern(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t})
 allow test_setnice_change_t test_setnice_set_t:fd use;
diff --git a/policy/test_sigkill.te b/policy/test_sigkill.te
index 04bed89..1aaa0af 100644
--- a/policy/test_sigkill.te
+++ b/policy/test_sigkill.te
@@ -40,7 +40,6 @@  allow test_kill_signal_t test_kill_server_t:process signal;
 
 # Allow all of these domains to be entered from the sysadm domains,
 # via kill or a program in the test directory.
-miscfiles_domain_entry_test_files(killdomain)
 corecmd_bin_entry_type(killdomain)
 sysadm_bin_spec_domtrans_to(killdomain)
 
diff --git a/policy/test_task_create.te b/policy/test_task_create.te
index 54acb50..b90b2e3 100644
--- a/policy/test_task_create.te
+++ b/policy/test_task_create.te
@@ -20,8 +20,3 @@  type test_create_no_t;
 # as it makes the permission effectively unusable in real policy.
 testsuite_domain_type_minimal(test_create_no_t)
 typeattribute test_create_no_t test_create_d;
-
-# General rules for the test_create_d
-
-# Allow domain to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(test_create_d)
diff --git a/policy/test_task_getpgid.te b/policy/test_task_getpgid.te
index dad584e..4c499f7 100644
--- a/policy/test_task_getpgid.te
+++ b/policy/test_task_getpgid.te
@@ -24,8 +24,5 @@  type test_getpgid_no_t;
 testsuite_domain_type(test_getpgid_no_t)
 typeattribute test_getpgid_no_t test_getpgid_d;
 
-# Allow domain to be entered from the sysadm domain
-miscfiles_domain_entry_test_files(test_getpgid_d)
-
 # Give test_getpgid_yes_t the permission needed.
 allow test_getpgid_yes_t test_getpgid_target_t:process getpgid;
diff --git a/policy/test_task_getsched.te b/policy/test_task_getsched.te
index f541d58..98b267f 100644
--- a/policy/test_task_getsched.te
+++ b/policy/test_task_getsched.te
@@ -24,8 +24,5 @@  type test_getsched_no_t;
 testsuite_domain_type(test_getsched_no_t)
 typeattribute test_getsched_no_t test_getsched_d;
 
-# Allow domain to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(test_getsched_d)
-
 # Give test_getsched_yes_t the permission needed.
 allow test_getsched_yes_t test_getsched_target_t:process getsched;
diff --git a/policy/test_task_getsid.te b/policy/test_task_getsid.te
index 8c21d9a..b53d454 100644
--- a/policy/test_task_getsid.te
+++ b/policy/test_task_getsid.te
@@ -24,8 +24,5 @@  type test_getsid_no_t;
 testsuite_domain_type(test_getsid_no_t)
 typeattribute test_getsid_no_t test_getsid_d;
 
-# Allow domain to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(test_getsid_d)
-
 # Give test_getsid_yes_t the permission needed.
 allow test_getsid_yes_t test_getsid_target_t:process getsession;
diff --git a/policy/test_task_setpgid.te b/policy/test_task_setpgid.te
index 25e06d4..bb8afa7 100644
--- a/policy/test_task_setpgid.te
+++ b/policy/test_task_setpgid.te
@@ -15,6 +15,3 @@  typeattribute test_setpgid_yes_t test_setpgid_d;
 type test_setpgid_no_t;
 testsuite_domain_type_minimal(test_setpgid_no_t)
 typeattribute test_setpgid_no_t test_setpgid_d;
-
-# Allow domain to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(test_setpgid_d)
diff --git a/policy/test_task_setsched.te b/policy/test_task_setsched.te
index 432135e..3e75cf6 100644
--- a/policy/test_task_setsched.te
+++ b/policy/test_task_setsched.te
@@ -26,9 +26,6 @@  type test_setsched_no_t;
 testsuite_domain_type(test_setsched_no_t)
 typeattribute test_setsched_no_t test_setsched_d;
 
-# Allow domain to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(test_setsched_d)
-
 # Allow these domains to execute renice.
 corecmd_bin_entry_type(test_setsched_d)
 
diff --git a/policy/test_tun_tap.te b/policy/test_tun_tap.te
index e1aef8d..28efc10 100644
--- a/policy/test_tun_tap.te
+++ b/policy/test_tun_tap.te
@@ -91,8 +91,3 @@  allow test_newcon_no_from_tun_tap_t self:tun_socket { relabelto };
 # For switch back on error:
 allow test_tun_tap_t test_newcon_no_from_tun_tap_t:fd { use };
 allow test_newcon_no_from_tun_tap_t test_tun_tap_t:process { dyntransition };
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(tuntapdomain)
diff --git a/policy/test_unix_socket.te b/policy/test_unix_socket.te
index 69720f0..f4e9e41 100644
--- a/policy/test_unix_socket.te
+++ b/policy/test_unix_socket.te
@@ -58,6 +58,3 @@  allow test_unix_server_t test_unix_dgram_client_t:unix_dgram_socket sendto;
 type test_socketpair_t;
 testsuite_domain_type(test_socketpair_t)
 typeattribute test_socketpair_t unixsocketdomain;
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(unixsocketdomain)
diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te
index 5cb7d1c..f5a6613 100644
--- a/policy/test_userfaultfd.te
+++ b/policy/test_userfaultfd.te
@@ -45,6 +45,3 @@  userfaultfd_domain_type(test_noread_uffd_t)
 
 # userfaultfd(2) requires CAP_SYS_PTRACE
 allow test_uffd_domain self:capability { sys_ptrace };
-
-# Allow all of these domains to be executed
-miscfiles_domain_entry_test_files(test_uffd_domain)
diff --git a/policy/test_vsock_socket.te b/policy/test_vsock_socket.te
index 4bb989a..dbd47f4 100644
--- a/policy/test_vsock_socket.te
+++ b/policy/test_vsock_socket.te
@@ -42,6 +42,3 @@  vsock_client(noread, connect create getattr getopt setopt shutdown write)
 vsock_client(nogetattr, connect create getopt setopt read shutdown write)
 vsock_client(nogetopt, connect create getattr setopt read shutdown write)
 vsock_client(nosetopt, connect create getattr getopt read shutdown write)
-
-# Allow all of these domains to be entered from the sysadm domain.
-miscfiles_domain_entry_test_files(vsocksocketdomain)
diff --git a/policy/test_watchkey.te b/policy/test_watchkey.te
index 101d68a..a85bd20 100644
--- a/policy/test_watchkey.te
+++ b/policy/test_watchkey.te
@@ -15,8 +15,3 @@  allow test_watchkey_t self:key { view };
 type test_watchkey_no_view_t;
 testsuite_domain_type(test_watchkey_no_view_t)
 typeattribute test_watchkey_no_view_t watchkeydomain;
-
-#
-########### Allow these domains to be entered from sysadm domain ############
-#
-miscfiles_domain_entry_test_files(watchkeydomain)