On Wed, Aug 3, 2022 at 10:53 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > On Tue, Aug 2, 2022 at 3:55 PM Daniel Burgener > <dburgener@xxxxxxxxxxxxxxxxxxx> wrote: > > On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote: > > > This is good to have for pretty much all domains, so remove the > > > individual calls and move it to test_general.te. > > > > > > > For whatever reason, test_sysnice.te uses > > > > domain_transition_pattern(sysadm_t, test_file_t, setnicedomain) > > > > instead of userdom_sysadm_entry_spec_domtrans_to(). I think the access > > added in the global attribute here covers that and the > > domain_transition_pattern() there can be deleted as well. > > > > Between that and the change to test_setnice.te in Patch 9, this comment > > above those two lines seems obsolete and can probably be deleted: > > > > # Allow all of these domains to be entered from sysadm domain > > # via a shell script in the test directory or by....] > > Oh, true... I did carefully search and remove all individual > references to unconfined* but not sysadm*. I'll try to clean those up, > too. OK, I pushed a new version (see the GitHub PR) with sysadm* references removed + corecmd_* rules also moved to general policy + some groups of superfluous macro calls removed as well. There are probably still some small cleanup opportunities left, but this is where I'm going to stop for now. -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
