[testsuite,17/24] test_general.te: generalize the dontaudit rule

Commit Message

Ondrej Mosnacek July 29, 2022, 12:02 p.m. UTC

The unconfined_t-specific dontaudit rule here is actually also needed
for sysadm_t, so generalize it to the whole testsuite_caller_domain.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_global.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Patch

diff --git a/policy/test_global.te b/policy/test_global.te
index 3536fbb..91bddd8 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -28,8 +28,6 @@  optional_policy(`
 	allow testsuite_domain unconfined_t:fd use;
 	allow testsuite_domain unconfined_t:fifo_file { read write ioctl getattr };
 	allow testsuite_domain unconfined_t:process { sigchld };
-	# needed for domains outside domain_type()
-	dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh };
 ')
 
 optional_policy(`
@@ -65,6 +63,9 @@  optional_policy(`
 	#selinux_get_fs_mount(sysadm_t)
 ')
 
+# Needed for domains outside domain_type()
+dontaudit testsuite_caller_domain testsuite_domain:process { noatsecure rlimitinh siginh };
+
 # Allow the test domains to access the sysadm terminal.
 # This allows read and write sysadm ttys and ptys.
 term_use_all_terms(testsuite_domain)