From patchwork Fri Jul 29 12:02:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932375 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4593BC19F2B for ; Fri, 29 Jul 2022 12:02:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235936AbiG2MCy (ORCPT ); Fri, 29 Jul 2022 08:02:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40804 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235368AbiG2MCx (ORCPT ); Fri, 29 Jul 2022 08:02:53 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D79A7863E0 for ; Fri, 29 Jul 2022 05:02:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096170; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zNOT6iq1zNt3X66GT+gYQ98w9CMnfrHbff5MoR0393g=; b=IaYoOe9vfl7sQfGHzj2GgTBnxh/lBBTjt4l01t3gdtXQsL4Wx79AFCs90CPQrGw1UnsG4z STAbi2+J+nezDCJakwa+1VEqKQPZiK6G+e2epp799O4qdQ6bEtRQELdIOXIS8bR7uEoHO/ sZJrlOgpP5J+nxo+TlOTnHHY81sSSQ0= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-594-9p3Nqt-LMbOhGhTcSfPS_g-1; Fri, 29 Jul 2022 08:02:49 -0400 X-MC-Unique: 9p3Nqt-LMbOhGhTcSfPS_g-1 Received: by mail-wr1-f71.google.com with SMTP id e3-20020adf9bc3000000b0021e50518071so1126763wrc.2 for ; Fri, 29 Jul 2022 05:02:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=zNOT6iq1zNt3X66GT+gYQ98w9CMnfrHbff5MoR0393g=; b=hGBvKeKe1BBkn3bXjav5JvAZLMWAQWeLgCRRRIGp3r4cWyTQIUPQnaUmv51FPuxE5V MBlG+25MFsNWF3IAzQaUQswzU50FVjWlP+9NCn3S41YTZD8ghz1z1vRPQ3HyWNq3sRAm hgfeIIK6emASnLvmaO0Xb1RxcYfQLSWkLOw1meU99KuIGqrTixEJKt4V4V+/4qecXmSw NH5iPsm/8eBYMbWGTr+XkzhzVOO48KuBXsxUv4/16M1wcX9MBrt5mwnV7RTeEWvNp9QT 5y9nEleTkdFywv6kdbV0nrchoUrTF3eXJD52P3Iv9KxBWM/jmJBxc/ErDC2sqYu+VIrH fTyw== X-Gm-Message-State: ACgBeo1N/yu2FvGrgpR/oqhT6av6674KbC3Z3a5GVvyyEYFg+MjYM0c9 nTk/xPVp3RiqWtxCHwfFQFWZEfv3pbkbFuIHAIUe4hkPj34yGqxMXcwmMpIm+Mn867eqiZpFhz4 tbg7bQjTL6nX9LuzChnxxOH/Xy7Ao8yNm14+fVNo8DCCimu9a2ABsazLbITyLmyd8TSX7dQ== X-Received: by 2002:a05:6000:3cc:b0:21e:7f8a:3925 with SMTP id b12-20020a05600003cc00b0021e7f8a3925mr2295983wrg.570.1659096167304; Fri, 29 Jul 2022 05:02:47 -0700 (PDT) X-Google-Smtp-Source: AA6agR70OLKCU1npfYGbp2+hp9SFhSzcI7uXpJEgH3p0x4nbBjdu1hPSvC9P8B3c52/4CmxukYktcw== X-Received: by 2002:a05:6000:3cc:b0:21e:7f8a:3925 with SMTP id b12-20020a05600003cc00b0021e7f8a3925mr2295947wrg.570.1659096166611; Fri, 29 Jul 2022 05:02:46 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:45 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 09/24] policy: move miscfiles_domain_entry_test_files() to general policy Date: Fri, 29 Jul 2022 14:02:14 +0200 Message-Id: <20220729120229.207584-10-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This is good to have for pretty much all domains, so remove the individual calls and move it to test_general.te. Signed-off-by: Ondrej Mosnacek --- policy/test_binder.te | 5 ----- policy/test_binder_bpf.te | 5 ----- policy/test_bounds.te | 1 - policy/test_bpf.te | 5 ----- policy/test_cap_userns.te | 1 - policy/test_capable_file.te | 1 - policy/test_dyntrace.te | 1 - policy/test_dyntrans.te | 4 ---- policy/test_execshare.te | 3 --- policy/test_exectrace.te | 3 --- policy/test_extended_socket_class.te | 3 --- policy/test_fdreceive.te | 3 --- policy/test_fdreceive_bpf.te | 3 --- policy/test_file.te | 3 --- policy/test_filesystem.te | 5 ----- policy/test_global.te | 4 +++- policy/test_ibendport.te | 3 --- policy/test_ibpkey.te | 3 --- policy/test_inet_socket.te | 3 --- policy/test_inherit.te | 3 --- policy/test_ioctl.te | 1 - policy/test_ipc.te | 1 - policy/test_key_socket.te | 5 ----- policy/test_keys.te | 5 ----- policy/test_mmap.te | 3 --- policy/test_module_load.te | 5 ----- policy/test_mqueue.te | 3 --- policy/test_netlink_socket.te | 3 --- policy/test_notify.te | 2 -- policy/test_open.te | 3 --- policy/test_perf_event.te | 5 ----- policy/test_prlimit.te | 7 ------- policy/test_ptrace.te | 4 ---- policy/test_sctp.te | 5 ----- policy/test_setnice.te | 1 - policy/test_sigkill.te | 1 - policy/test_task_create.te | 5 ----- policy/test_task_getpgid.te | 3 --- policy/test_task_getsched.te | 3 --- policy/test_task_getsid.te | 3 --- policy/test_task_setpgid.te | 3 --- policy/test_task_setsched.te | 3 --- policy/test_tun_tap.te | 5 ----- policy/test_unix_socket.te | 3 --- policy/test_userfaultfd.te | 3 --- policy/test_vsock_socket.te | 3 --- policy/test_watchkey.te | 5 ----- 47 files changed, 3 insertions(+), 152 deletions(-) diff --git a/policy/test_binder.te b/policy/test_binder.te index 096c467..4c7974a 100644 --- a/policy/test_binder.te +++ b/policy/test_binder.te @@ -94,8 +94,3 @@ allow test_binder_client_no_transfer_t test_binder_mgr_t:binder { call }; allow test_binder_client_no_transfer_t test_binder_provider_t:binder { call impersonate }; allow test_binder_client_no_transfer_t device_t:chr_file { getattr ioctl open read write }; allow_map(test_binder_client_no_transfer_t, device_t, chr_file) - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(binderdomain) diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te index 2d91af2..fa79320 100644 --- a/policy/test_binder_bpf.te +++ b/policy/test_binder_bpf.te @@ -57,8 +57,3 @@ allow test_binder_client_no_bpf_perm_t test_binder_bpf_mgr_t:binder { call }; allow test_binder_client_no_bpf_perm_t test_binder_bpf_provider_t:fd { use }; allow test_binder_client_no_bpf_perm_t device_t:chr_file { getattr ioctl open read write }; allow_map(test_binder_client_no_bpf_perm_t, device_t, chr_file) - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(binderbpfdomain) diff --git a/policy/test_bounds.te b/policy/test_bounds.te index 60fbd0b..d132d8a 100644 --- a/policy/test_bounds.te +++ b/policy/test_bounds.te @@ -63,5 +63,4 @@ allow test_bounds_child_domain test_bounds_file_green_t : file { getattr setattr allow test_bounds_child_domain test_bounds_file_blue_t : file { getattr setattr }; # Allow all of these domains to be entered from sysadm domain -miscfiles_domain_entry_test_files(test_bounds_domain) sysadm_entry_spec_domtrans(test_bounds_domain) diff --git a/policy/test_bpf.te b/policy/test_bpf.te index fb21c29..5eab0bd 100644 --- a/policy/test_bpf.te +++ b/policy/test_bpf.te @@ -57,8 +57,3 @@ typeattribute test_bpf_deny_prog_run_t bpfdomain; allow test_bpf_deny_prog_run_t self:process { setrlimit }; allow test_bpf_deny_prog_run_t self:capability { sys_resource sys_admin }; allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load }; - -# -############ Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(bpfdomain) diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te index fa90528..cfa510c 100644 --- a/policy/test_cap_userns.te +++ b/policy/test_cap_userns.te @@ -19,7 +19,6 @@ testsuite_domain_type(test_no_cap_userns_t) typeattribute test_no_cap_userns_t capusernsdomain; # Rules common to both domains. -miscfiles_domain_entry_test_files(capusernsdomain) corecmd_exec_bin(capusernsdomain) # linux >= v5.12 needs setfcap to map UID 0 diff --git a/policy/test_capable_file.te b/policy/test_capable_file.te index 9ce9487..2383f6e 100644 --- a/policy/test_capable_file.te +++ b/policy/test_capable_file.te @@ -39,7 +39,6 @@ libs_exec_ld_so(capabledomain) libs_exec_lib_files(capabledomain) # Allow test_file_t and bin_t to be entered from sysadm role -miscfiles_domain_entry_test_files(capabledomain) corecmd_bin_entry_type(capabledomain) sysadm_bin_spec_domtrans_to(capabledomain) diff --git a/policy/test_dyntrace.te b/policy/test_dyntrace.te index 0a598a4..09f983a 100644 --- a/policy/test_dyntrace.te +++ b/policy/test_dyntrace.te @@ -25,7 +25,6 @@ testsuite_domain_type(test_dyntrace_notchild_t) typeattribute test_dyntrace_notchild_t dyntracedomain; # Allow test_files_t to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(dyntracedomain) miscfiles_exec_test_files(dyntracedomain) # Grant the necessary permissions for the child domain. diff --git a/policy/test_dyntrans.te b/policy/test_dyntrans.te index e4110c5..73fe77d 100644 --- a/policy/test_dyntrans.te +++ b/policy/test_dyntrans.te @@ -23,7 +23,3 @@ typeattribute test_dyntrans_todomain_t dyntransdomain; # Allow the fromdomain to dyntrans to the new domain. allow test_dyntrans_fromdomain_t test_dyntrans_todomain_t:process dyntransition; - -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(dyntransdomain) - diff --git a/policy/test_execshare.te b/policy/test_execshare.te index 22ed09f..c127662 100644 --- a/policy/test_execshare.te +++ b/policy/test_execshare.te @@ -20,9 +20,6 @@ type test_execshare_notchild_t; testsuite_domain_type(test_execshare_notchild_t); typeattribute test_execshare_notchild_t execsharedomain; -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(execsharedomain) - # Grant the necessary permissions for the child domain. domain_entry_file_spec_domtrans(test_execshare_parent_t, test_execshare_child_t) allow test_execshare_parent_t test_execshare_child_t:fd use; diff --git a/policy/test_exectrace.te b/policy/test_exectrace.te index 302ba80..d5b74ad 100644 --- a/policy/test_exectrace.te +++ b/policy/test_exectrace.te @@ -23,9 +23,6 @@ type test_exectrace_notchild_t; testsuite_domain_type(test_exectrace_notchild_t) typeattribute test_exectrace_notchild_t exectracedomain; -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(exectracedomain) - # Grant the necessary permissions for the child domain. domain_entry_file_spec_domtrans(test_exectrace_parent_t, test_exectrace_child_t) allow test_exectrace_parent_t test_exectrace_child_t:fd use; diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te index 681a71d..c8840b4 100644 --- a/policy/test_extended_socket_class.te +++ b/policy/test_extended_socket_class.te @@ -54,6 +54,3 @@ extended_socket_class_test(alg_socket, socket) # Trigger kernel module auto-loading of the network protocol implementations. kernel_request_load_module(extsocktestdomain) - -# Entry into the test domains via the test program. -miscfiles_domain_entry_test_files(extsocktestdomain) diff --git a/policy/test_fdreceive.te b/policy/test_fdreceive.te index 9987503..df9e974 100644 --- a/policy/test_fdreceive.te +++ b/policy/test_fdreceive.te @@ -30,9 +30,6 @@ type test_fdreceive_server_t; testsuite_domain_type(test_fdreceive_server_t); typeattribute test_fdreceive_server_t fdreceivedomain; -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(fdreceivedomain) - # Grant the necessary permissions for the server domain. ## Create the Unix domain socket file. allow test_fdreceive_server_t test_file_t:dir rw_dir_perms; diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te index 264a703..fd633ae 100644 --- a/policy/test_fdreceive_bpf.te +++ b/policy/test_fdreceive_bpf.te @@ -48,6 +48,3 @@ allow test_fdreceive_bpf_client3_t self:process { setrlimit }; # Server side rules: allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use }; allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write }; - -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(fdreceivebpfdomain) diff --git a/policy/test_file.te b/policy/test_file.te index 9acc211..5bb0398 100644 --- a/policy/test_file.te +++ b/policy/test_file.te @@ -53,9 +53,6 @@ libs_use_shared_libs(fileopdomain) libs_exec_ld_so(fileopdomain) libs_exec_lib_files(fileopdomain) -# Allow all of these domains to be entered from sysadm domain -miscfiles_domain_entry_test_files(fileopdomain) - corecmd_bin_entry_type(fileopdomain) sysadm_bin_spec_domtrans_to(fileopdomain) diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te index fd06d5d..5de489c 100644 --- a/policy/test_filesystem.te +++ b/policy/test_filesystem.te @@ -408,8 +408,3 @@ allow test_filesystem_no_mount_t dosfs_t:filesystem { associate }; allow test_filesystem_no_remount_t dosfs_t:filesystem { associate }; allow test_filesystem_no_unmount_t dosfs_t:filesystem { associate }; allow test_move_mount_no_mounton_t dosfs_t:filesystem { associate }; - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(filesystemdomain) diff --git a/policy/test_global.te b/policy/test_global.te index 5ef3b02..667c272 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -51,8 +51,10 @@ allow testsuite_domain self:capability { dac_override dac_read_search }; #allow sysadm_t self:process setexec; #selinux_get_fs_mount(sysadm_t) -# Let all test domains read test directories and files. +# Let all test domains read test directories and files and to use test +# files as entry points. miscfiles_read_test_files(testsuite_domain) +miscfiles_domain_entry_test_files(testsuite_domain) # Let the test domains set their current, exec and fscreate contexts. allow testsuite_domain self:process setcurrent; diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te index a403be0..ccfea28 100644 --- a/policy/test_ibendport.te +++ b/policy/test_ibendport.te @@ -29,6 +29,3 @@ corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t) ') allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_subnet; - -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(ibendportdomain) diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te index de0f5e1..863ff16 100644 --- a/policy/test_ibpkey.te +++ b/policy/test_ibpkey.te @@ -22,6 +22,3 @@ corenet_ib_pkey(test_ibpkey_t) ifdef(`corenet_ib_access_unlabeled_pkeys',` corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t) ') - -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(ibpkeydomain) diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te index dd0e83c..5feb801 100644 --- a/policy/test_inet_socket.te +++ b/policy/test_inet_socket.te @@ -158,6 +158,3 @@ allow test_inet_client_t test_server_packet_t:packet { send recv }; # Send/recv unlabeled packets. kernel_sendrecv_unlabeled_packets(inetsocketdomain) kernel_recvfrom_unlabeled_peer(inetsocketdomain) - -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(inetsocketdomain) diff --git a/policy/test_inherit.te b/policy/test_inherit.te index 15ab8fc..da26ea3 100644 --- a/policy/test_inherit.te +++ b/policy/test_inherit.te @@ -31,9 +31,6 @@ type test_inherit_nowrite_t; testsuite_domain_type(test_inherit_nowrite_t) typeattribute test_inherit_nowrite_t inheritdomain; -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(inheritdomain) - # Grant the necessary permissions for the parent domain. allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms; diff --git a/policy/test_ioctl.te b/policy/test_ioctl.te index 955695d..dc645f4 100644 --- a/policy/test_ioctl.te +++ b/policy/test_ioctl.te @@ -30,7 +30,6 @@ libs_exec_lib_files(ioctldomain) # Allow all of these domains to be entered from sysadm domain # via a shell script in the test directory or by.... -miscfiles_domain_entry_test_files(ioctldomain) corecmd_bin_entry_type(ioctldomain) sysadm_bin_spec_domtrans_to(ioctldomain) diff --git a/policy/test_ipc.te b/policy/test_ipc.te index f68d35c..21d997b 100644 --- a/policy/test_ipc.te +++ b/policy/test_ipc.te @@ -67,7 +67,6 @@ fs_rw_tmpfs_files(ipcdomain) # Allow all of these domains to be entered from user domains. # via a shell script in the test directory or by another program. -miscfiles_domain_entry_test_files(ipcdomain) corecmd_bin_entry_type(ipcdomain) sysadm_bin_spec_domtrans_to(ipcdomain) diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te index 2763472..27a1545 100644 --- a/policy/test_key_socket.te +++ b/policy/test_key_socket.te @@ -48,10 +48,5 @@ typeattribute test_key_sock_no_read_t keysockdomain; allow test_key_sock_no_read_t self:capability { net_admin }; allow test_key_sock_no_read_t self:key_socket { create write setopt }; -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(keysockdomain) - # For CONFIG_NET_KEY=m kernel_request_load_module(keysockdomain) diff --git a/policy/test_keys.te b/policy/test_keys.te index de1b46c..250950e 100644 --- a/policy/test_keys.te +++ b/policy/test_keys.te @@ -164,8 +164,3 @@ typeattribute test_request_keys_no_link_t keydomain; allow test_request_keys_no_link_t self:key { create write search read view link setattr }; allow test_request_keys_no_link_t test_keyring_service_t:key { read write search view setattr }; - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(keydomain) diff --git a/policy/test_mmap.te b/policy/test_mmap.te index eb59dbe..d0850cc 100644 --- a/policy/test_mmap.te +++ b/policy/test_mmap.te @@ -152,6 +152,3 @@ testsuite_domain_type(test_no_execmod_t) typeattribute test_no_execmod_t mmaptestdomain; allow test_no_execmod_t test_mmap_file_t:file { open read execute }; allow_map(test_no_execmod_t, test_mmap_file_t, file) - -# Allow entrypoint via the test programs. -miscfiles_domain_entry_test_files(mmaptestdomain) diff --git a/policy/test_module_load.te b/policy/test_module_load.te index 770b2dd..a856706 100644 --- a/policy/test_module_load.te +++ b/policy/test_module_load.te @@ -41,8 +41,3 @@ allow test_kmodule_deny_module_request_t test_file_t:system { module_load }; allow test_kmodule_deny_module_request_t self:system { module_load }; allow_lockdown_integrity(test_kmodule_deny_module_request_t) neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request }; - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(kmoduledomain) diff --git a/policy/test_mqueue.te b/policy/test_mqueue.te index ea3fa68..65ffe6d 100644 --- a/policy/test_mqueue.te +++ b/policy/test_mqueue.te @@ -55,9 +55,6 @@ type mqop_mqrw_t; files_type(mqop_mqrw_t) -# basic permision for all mqopdomains -miscfiles_domain_entry_test_files(mqopdomain) - corecmd_bin_entry_type(mqopdomain) sysadm_bin_spec_domtrans_to(mqopdomain) diff --git a/policy/test_netlink_socket.te b/policy/test_netlink_socket.te index 589e372..b6d39c2 100644 --- a/policy/test_netlink_socket.te +++ b/policy/test_netlink_socket.te @@ -41,8 +41,5 @@ netlink_socket_test(netlink_crypto_socket) # Common rules for all netlink socket class test domains. # -# Entry into the test domains via the test program. -miscfiles_domain_entry_test_files(netlinksocktestdomain) - # Trigger kernel module auto-loading of the protocol implementations. kernel_request_load_module(netlinksocktestdomain) diff --git a/policy/test_notify.te b/policy/test_notify.te index 4ffd287..fe60274 100644 --- a/policy/test_notify.te +++ b/policy/test_notify.te @@ -73,5 +73,3 @@ testsuite_domain_type(test_rdonly_t) typeattribute test_rdonly_t test_notify_domain; allow test_rdonly_t test_notify_file_t:dir { read open watch }; - -miscfiles_domain_entry_test_files(test_notify_domain) diff --git a/policy/test_open.te b/policy/test_open.te index 0d662f0..f01a5fe 100644 --- a/policy/test_open.te +++ b/policy/test_open.te @@ -28,6 +28,3 @@ type test_append_t; testsuite_domain_type(test_append_t) typeattribute test_append_t test_open_domain; allow test_append_t test_open_file_t:file append_file_perms; - -# Allow all of these domains to be entered from sysadm domain -miscfiles_domain_entry_test_files(test_open_domain) diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te index 8a914ff..5db46cd 100644 --- a/policy/test_perf_event.te +++ b/policy/test_perf_event.te @@ -70,8 +70,3 @@ typeattribute test_perf_no_write_t perfdomain; allow test_perf_no_write_t self:capability2 { perfmon }; allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read }; allow_lockdown_confidentiality(test_perf_no_write_t) - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(perfdomain) diff --git a/policy/test_prlimit.te b/policy/test_prlimit.te index 4b6a5c8..b0314f3 100644 --- a/policy/test_prlimit.te +++ b/policy/test_prlimit.te @@ -36,10 +36,3 @@ spec_domtrans_pattern(test_no_$1_t, test_file_t, test_$1_child_t) prlimit_test(setrlimit) prlimit_test(getrlimit) - -# -# Common rules for all prlimit test domains. -# - -# Entry into the test domains via the test program. -miscfiles_domain_entry_test_files(prlimittestdomain) diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te index f327cc5..8c1d71c 100644 --- a/policy/test_ptrace.te +++ b/policy/test_ptrace.te @@ -33,10 +33,6 @@ userdom_search_user_home_dirs(test_ptrace_traced_t) # Let the tracer wait on the traced domain. allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld; -# Allow all of these domains to be entered from the sysadm domains. -# via a program in the test directory. -miscfiles_domain_entry_test_files(ptracedomain) - # Allow execution of helper programs. corecmd_exec_bin(ptracedomain) domain_exec_all_entry_files(ptracedomain) diff --git a/policy/test_sctp.te b/policy/test_sctp.te index 7b24b8c..e276153 100644 --- a/policy/test_sctp.te +++ b/policy/test_sctp.te @@ -229,8 +229,3 @@ allow sctpsocketdomain proc_net_t:file { read }; allow sctpsocketdomain sysctl_net_t:dir { search }; allow sctpsocketdomain self:udp_socket { create }; allow sctpsocketdomain self:unix_dgram_socket { create ioctl }; - -# -############ Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(sctpsocketdomain) diff --git a/policy/test_setnice.te b/policy/test_setnice.te index 34a2e73..2c34643 100644 --- a/policy/test_setnice.te +++ b/policy/test_setnice.te @@ -31,7 +31,6 @@ libs_exec_lib_files(setnicedomain) # Allow all of these domains to be entered from sysadm domain # via a shell script in the test directory or by.... -miscfiles_domain_entry_test_files(setnicedomain) domain_transition_pattern(sysadm_t, test_file_t, setnicedomain) domain_transition_pattern(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t}) allow test_setnice_change_t test_setnice_set_t:fd use; diff --git a/policy/test_sigkill.te b/policy/test_sigkill.te index 04bed89..1aaa0af 100644 --- a/policy/test_sigkill.te +++ b/policy/test_sigkill.te @@ -40,7 +40,6 @@ allow test_kill_signal_t test_kill_server_t:process signal; # Allow all of these domains to be entered from the sysadm domains, # via kill or a program in the test directory. -miscfiles_domain_entry_test_files(killdomain) corecmd_bin_entry_type(killdomain) sysadm_bin_spec_domtrans_to(killdomain) diff --git a/policy/test_task_create.te b/policy/test_task_create.te index 54acb50..b90b2e3 100644 --- a/policy/test_task_create.te +++ b/policy/test_task_create.te @@ -20,8 +20,3 @@ type test_create_no_t; # as it makes the permission effectively unusable in real policy. testsuite_domain_type_minimal(test_create_no_t) typeattribute test_create_no_t test_create_d; - -# General rules for the test_create_d - -# Allow domain to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(test_create_d) diff --git a/policy/test_task_getpgid.te b/policy/test_task_getpgid.te index dad584e..4c499f7 100644 --- a/policy/test_task_getpgid.te +++ b/policy/test_task_getpgid.te @@ -24,8 +24,5 @@ type test_getpgid_no_t; testsuite_domain_type(test_getpgid_no_t) typeattribute test_getpgid_no_t test_getpgid_d; -# Allow domain to be entered from the sysadm domain -miscfiles_domain_entry_test_files(test_getpgid_d) - # Give test_getpgid_yes_t the permission needed. allow test_getpgid_yes_t test_getpgid_target_t:process getpgid; diff --git a/policy/test_task_getsched.te b/policy/test_task_getsched.te index f541d58..98b267f 100644 --- a/policy/test_task_getsched.te +++ b/policy/test_task_getsched.te @@ -24,8 +24,5 @@ type test_getsched_no_t; testsuite_domain_type(test_getsched_no_t) typeattribute test_getsched_no_t test_getsched_d; -# Allow domain to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(test_getsched_d) - # Give test_getsched_yes_t the permission needed. allow test_getsched_yes_t test_getsched_target_t:process getsched; diff --git a/policy/test_task_getsid.te b/policy/test_task_getsid.te index 8c21d9a..b53d454 100644 --- a/policy/test_task_getsid.te +++ b/policy/test_task_getsid.te @@ -24,8 +24,5 @@ type test_getsid_no_t; testsuite_domain_type(test_getsid_no_t) typeattribute test_getsid_no_t test_getsid_d; -# Allow domain to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(test_getsid_d) - # Give test_getsid_yes_t the permission needed. allow test_getsid_yes_t test_getsid_target_t:process getsession; diff --git a/policy/test_task_setpgid.te b/policy/test_task_setpgid.te index 25e06d4..bb8afa7 100644 --- a/policy/test_task_setpgid.te +++ b/policy/test_task_setpgid.te @@ -15,6 +15,3 @@ typeattribute test_setpgid_yes_t test_setpgid_d; type test_setpgid_no_t; testsuite_domain_type_minimal(test_setpgid_no_t) typeattribute test_setpgid_no_t test_setpgid_d; - -# Allow domain to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(test_setpgid_d) diff --git a/policy/test_task_setsched.te b/policy/test_task_setsched.te index 432135e..3e75cf6 100644 --- a/policy/test_task_setsched.te +++ b/policy/test_task_setsched.te @@ -26,9 +26,6 @@ type test_setsched_no_t; testsuite_domain_type(test_setsched_no_t) typeattribute test_setsched_no_t test_setsched_d; -# Allow domain to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(test_setsched_d) - # Allow these domains to execute renice. corecmd_bin_entry_type(test_setsched_d) diff --git a/policy/test_tun_tap.te b/policy/test_tun_tap.te index e1aef8d..28efc10 100644 --- a/policy/test_tun_tap.te +++ b/policy/test_tun_tap.te @@ -91,8 +91,3 @@ allow test_newcon_no_from_tun_tap_t self:tun_socket { relabelto }; # For switch back on error: allow test_tun_tap_t test_newcon_no_from_tun_tap_t:fd { use }; allow test_newcon_no_from_tun_tap_t test_tun_tap_t:process { dyntransition }; - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(tuntapdomain) diff --git a/policy/test_unix_socket.te b/policy/test_unix_socket.te index 69720f0..f4e9e41 100644 --- a/policy/test_unix_socket.te +++ b/policy/test_unix_socket.te @@ -58,6 +58,3 @@ allow test_unix_server_t test_unix_dgram_client_t:unix_dgram_socket sendto; type test_socketpair_t; testsuite_domain_type(test_socketpair_t) typeattribute test_socketpair_t unixsocketdomain; - -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(unixsocketdomain) diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te index 5cb7d1c..f5a6613 100644 --- a/policy/test_userfaultfd.te +++ b/policy/test_userfaultfd.te @@ -45,6 +45,3 @@ userfaultfd_domain_type(test_noread_uffd_t) # userfaultfd(2) requires CAP_SYS_PTRACE allow test_uffd_domain self:capability { sys_ptrace }; - -# Allow all of these domains to be executed -miscfiles_domain_entry_test_files(test_uffd_domain) diff --git a/policy/test_vsock_socket.te b/policy/test_vsock_socket.te index 4bb989a..dbd47f4 100644 --- a/policy/test_vsock_socket.te +++ b/policy/test_vsock_socket.te @@ -42,6 +42,3 @@ vsock_client(noread, connect create getattr getopt setopt shutdown write) vsock_client(nogetattr, connect create getopt setopt read shutdown write) vsock_client(nogetopt, connect create getattr setopt read shutdown write) vsock_client(nosetopt, connect create getattr getopt read shutdown write) - -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(vsocksocketdomain) diff --git a/policy/test_watchkey.te b/policy/test_watchkey.te index 101d68a..a85bd20 100644 --- a/policy/test_watchkey.te +++ b/policy/test_watchkey.te @@ -15,8 +15,3 @@ allow test_watchkey_t self:key { view }; type test_watchkey_no_view_t; testsuite_domain_type(test_watchkey_no_view_t) typeattribute test_watchkey_no_view_t watchkeydomain; - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(watchkeydomain)