The unconfined_t-specific dontaudit rule here is actually also needed
for sysadm_t, so generalize it to the whole testsuite_caller_domain.
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
policy/test_global.te | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/policy/test_global.te b/policy/test_global.te
index 3536fbb..91bddd8 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -28,8 +28,6 @@ optional_policy(`
allow testsuite_domain unconfined_t:fd use;
allow testsuite_domain unconfined_t:fifo_file { read write ioctl getattr };
allow testsuite_domain unconfined_t:process { sigchld };
- # needed for domains outside domain_type()
- dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh };
')
optional_policy(`
@@ -65,6 +63,9 @@ optional_policy(`
#selinux_get_fs_mount(sysadm_t)
')
+# Needed for domains outside domain_type()
+dontaudit testsuite_caller_domain testsuite_domain:process { noatsecure rlimitinh siginh };
+
# Allow the test domains to access the sysadm terminal.
# This allows read and write sysadm ttys and ptys.
term_use_all_terms(testsuite_domain)
--
2.37.1
