Even though it is only needed for the 'minimal' domains, it will be
cleaner to apply it to all of them inside the optional block.
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
policy/test_global.te | 2 ++
policy/test_policy.if | 3 +--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/policy/test_global.te b/policy/test_global.te
index 83e573c..03acc19 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -21,6 +21,8 @@ optional_policy(`
allow testsuite_domain unconfined_t:fd use;
allow testsuite_domain unconfined_t:fifo_file { read write ioctl getattr };
allow testsuite_domain unconfined_t:process { sigchld };
+ # needed for domains outside domain_type()
+ dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh };
')
gen_require(`
diff --git a/policy/test_policy.if b/policy/test_policy.if
index f17a384..6cef8dd 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -49,7 +49,7 @@ interface(`testsuite_domain_type',`
interface(`testsuite_domain_type_minimal',`
gen_require(`
- type setrans_var_run_t, unconfined_t;
+ type setrans_var_run_t;
')
testsuite_domain_type_common($1)
@@ -62,7 +62,6 @@ interface(`testsuite_domain_type_minimal',`
dontaudit $1 security_t:filesystem getattr;
dontaudit $1 self:file getattr;
dontaudit $1 setrans_var_run_t:dir search;
- dontaudit unconfined_t $1:process { noatsecure rlimitinh siginh };
')
# Workarounds for refpolicy:
--
2.37.1
