[LTP][PATCH 1/2] Replacement of deprecated interfaces

[KaiGai Kohei <kaigai@ak.jp.nec.com>]

[-- Attachment #1: Type: text/plain, Size: 624 bytes --]

James Morris wrote:
> Could you also please add tests for this (at least one which should fail 
> and one which should succeed) to the Linux Test Project?
> 
> 
> - James

Policies stored in ltp/testcases/kernel/security/selinux-testsuite/refpolicy/
invokes massive deprecated interfaces on selinux-policy-3.5.4.

This patch fixes them according to the warning messages which encourage to
replace older ones.

BTW, I'm not happy with the test_policy.pp does not allow to invoke test
scripts from unconfined_t domain. Is it to be fixed?

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[-- Attachment #2: ltp-selinux-refpolicy-fixes.patch --]
[-- Type: text/x-patch, Size: 27273 bytes --]

Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_ipc.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_ipc.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_ipc.te	(revision 2)
@@ -72,12 +72,12 @@
 # Allow all of these domains to be entered from user domains.
 # via a shell script in the test directory or by another program.
 miscfiles_domain_entry_test_files(ipcdomain)
-userdom_sysadm_entry_spec_domtrans_to(ipcdomain)
+sysadm_entry_spec_domtrans(ipcdomain)
 corecmd_bin_entry_type(ipcdomain)
-userdom_sysadm_bin_spec_domtrans_to(ipcdomain)
+sysadm_bin_spec_domtrans_to(ipcdomain)
 
 allow test_ipc_base_t self:sem create_sem_perms;
 allow test_ipc_base_t self:shm create_sem_perms;
 allow test_ipc_base_t self:shm lock;
 # ipcrm needs this... 
-userdom_search_generic_user_home_dirs(test_ipc_base_t)
+unprivuser_search_home_dirs(test_ipc_base_t)
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_file.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_file.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_file.te	(revision 2)
@@ -43,7 +43,6 @@
 
 # Allow execution of helper programs.
 corecmd_exec_bin(fileopdomain)
-corecmd_exec_sbin(fileopdomain)
 domain_exec_all_entry_files(fileopdomain)
 libs_use_ld_so(fileopdomain)
 libs_use_shared_libs(fileopdomain)
@@ -52,13 +51,13 @@
 
 # Allow all of these domains to be entered from sysadm domain
 miscfiles_domain_entry_test_files(fileopdomain)
-userdom_sysadm_entry_spec_domtrans_to(fileopdomain)
+sysadm_entry_spec_domtrans(fileopdomain)
 
 corecmd_bin_entry_type(fileopdomain)
-userdom_sysadm_bin_spec_domtrans_to(fileopdomain)
+sysadm_bin_spec_domtrans_to(fileopdomain)
 
-corecmd_sbin_entry_type(fileopdomain)
-userdom_sysadm_sbin_spec_domtrans_to(fileopdomain)
+corecmd_bin_entry_type(fileopdomain)
+sysadm_bin_spec_domtrans_to(fileopdomain)
 
 allow fileop_t fileop_exec_t:file entrypoint;
 domain_auto_trans(test_fileop_t, fileop_exec_t, fileop_t)
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_sysctl.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_sysctl.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_sysctl.te	(revision 2)
@@ -19,8 +19,8 @@
 
 # Allow all of these domains to be entered from sysadm domain
 # via /sbin/sysctl.
-corecmd_sbin_entry_type(sysctldomain)
-userdom_sysadm_sbin_spec_domtrans_to(sysctldomain)
+corecmd_bin_entry_type(sysctldomain)
+sysadm_bin_spec_domtrans_to(sysctldomain)
 
 # Allow the first domain to perform sysctl operations.
 kernel_rw_all_sysctls(test_sysctl_t)
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_create.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_create.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_create.te	(revision 2)
@@ -24,10 +24,10 @@
 typeattribute test_create_no_t test_create_d;
 
 allow test_create_no_t self:process ~fork;
-allow test_create_no_t proc_t:dir r_dir_perms;
+allow test_create_no_t proc_t:dir list_dir_perms;
 allow test_create_no_t proc_t:lnk_file read;
-allow test_create_no_t self:dir r_dir_perms;
-allow test_create_no_t self:notdevfile_class_set r_file_perms;
+allow test_create_no_t self:dir list_dir_perms;
+allow test_create_no_t self:notdevfile_class_set read_file_perms;
 
 libs_use_ld_so(test_create_no_t)
 libs_use_shared_libs(test_create_no_t)
@@ -35,14 +35,14 @@
 allow test_create_no_t self:process setexec;
 selinux_get_fs_mount(test_create_no_t)
 
-allow test_create_no_t { root_t bin_t sbin_t lib_t locale_t usr_t devpts_t home_root_t }:dir r_dir_perms;
-allow test_create_no_t lib_t:lnk_file r_file_perms;
+allow test_create_no_t { root_t bin_t sbin_t lib_t locale_t usr_t devpts_t home_root_t }:dir list_dir_perms;
+allow test_create_no_t lib_t:lnk_file read_file_perms;
 allow test_create_no_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
-allow test_create_no_t locale_t:dir r_dir_perms;
-allow test_create_no_t locale_t:{ file lnk_file } r_file_perms;
+allow test_create_no_t locale_t:dir list_dir_perms;
+allow test_create_no_t locale_t:{ file lnk_file } read_file_perms;
 allow test_create_no_t privfd:fd use;
-userdom_use_sysadm_ptys(test_create_no_t)
-userdom_use_sysadm_ttys(test_create_no_t)
+sysadm_use_ptys(test_create_no_t)
+sysadm_use_ttys(test_create_no_t)
 
 # General rules for the test_create_d
 
@@ -50,4 +50,4 @@
 role sysadm_r types test_create_d;
 role system_r types test_create_d;
 miscfiles_domain_entry_test_files(test_create_d)
-userdom_sysadm_entry_spec_domtrans_to(test_create_d)
+sysadm_entry_spec_domtrans(test_create_d)
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_file.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_file.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_file.te	(revision 2)
@@ -35,7 +35,6 @@
 
 # Allow execution of helper programs.
 corecmd_exec_bin(capabledomain)
-corecmd_exec_sbin(capabledomain)
 domain_exec_all_entry_files(capabledomain)
 files_exec_etc_files(capabledomain)
 libs_use_ld_so(capabledomain)
@@ -45,9 +44,9 @@
 
 # Allow test_file_t and bin_t to be entered from sysadm role
 miscfiles_domain_entry_test_files(capabledomain)
-userdom_sysadm_entry_spec_domtrans_to(capabledomain)
+sysadm_entry_spec_domtrans(capabledomain)
 corecmd_bin_entry_type(capabledomain)
-userdom_sysadm_bin_spec_domtrans_to(capabledomain)
+sysadm_bin_spec_domtrans_to(capabledomain)
 
 # Allow these domains to create a temporay file.
 allow capabledomain test_file_t:file { setattr rw_file_perms };
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_setnice.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_setnice.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_setnice.te	(revision 2)
@@ -25,7 +25,6 @@
 
 # Allow execution of helper programs.
 corecmd_exec_bin(setnicedomain)
-corecmd_exec_sbin(setnicedomain)
 domain_exec_all_entry_files(setnicedomain)
 files_exec_etc_files(setnicedomain)
 libs_use_ld_so(setnicedomain)
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_fdreceive.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_fdreceive.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_fdreceive.te	(revision 2)
@@ -35,7 +35,7 @@
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(fdreceivedomain)
-userdom_sysadm_entry_spec_domtrans_to(fdreceivedomain)
+sysadm_entry_spec_domtrans(fdreceivedomain)
 
 # Grant the necessary permissions for the server domain.
 ## Create the Unix domain socket file.
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_link.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_link.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_link.te	(revision 2)
@@ -69,5 +69,5 @@
 
 # Allow all of these domains to be entered from sysadm domain
 corecmd_bin_entry_type(test_link_domain)
-userdom_sysadm_bin_spec_domtrans_to(test_link_domain)
+sysadm_bin_spec_domtrans_to(test_link_domain)
 
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_sigkill.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_sigkill.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_sigkill.te	(revision 2)
@@ -43,7 +43,7 @@
 # Allow all of these domains to be entered from the sysadm domains,
 # via kill or a program in the test directory.
 miscfiles_domain_entry_test_files(killdomain)
-userdom_sysadm_entry_spec_domtrans_to(killdomain)
+sysadm_entry_spec_domtrans(killdomain)
 corecmd_bin_entry_type(killdomain)
-userdom_sysadm_bin_spec_domtrans_to(killdomain)
+sysadm_bin_spec_domtrans_to(killdomain)
 
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te	(revision 2)
@@ -13,7 +13,7 @@
 
 # Allow the test domains to access the sysadm terminal.
 # This allows read and write sysadm ttys and ptys.
-userdom_use_sysadm_terms(testdomain)
+sysadm_use_terms(testdomain)
 
 # Allow the test domains to access the test directory and files
 # even if they are not root owned.
@@ -64,9 +64,9 @@
 	type null_device_t;
 	type zero_device_t;
 }
-allow testdomain { root_t etc_t bin_t sbin_t lib_t usr_t devpts_t }:dir r_dir_perms;
-allow testdomain lib_t:{ file lnk_file } r_file_perms;
-allow testdomain etc_t:file r_file_perms;
+allow testdomain { root_t etc_t bin_t sbin_t lib_t usr_t devpts_t }:dir list_dir_perms;
+allow testdomain lib_t:{ file lnk_file } read_file_perms;
+allow testdomain etc_t:file read_file_perms;
 allow testdomain { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
 miscfiles_read_localization(testdomain)
 domain_use_interactive_fds(testdomain)
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_open.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_open.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_open.te	(revision 2)
@@ -32,4 +32,4 @@
 
 # Allow all of these domains to be entered from sysadm domain
 miscfiles_domain_entry_test_files(test_open_domain)
-userdom_sysadm_entry_spec_domtrans_to(test_open_domain)
+sysadm_entry_spec_domtrans(test_open_domain)
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsid.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsid.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsid.te	(revision 2)
@@ -25,7 +25,7 @@
 
 # Allow domain to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(test_getsid_d)
-userdom_sysadm_entry_spec_domtrans_to(test_getsid_d)
+sysadm_entry_spec_domtrans(test_getsid_d)
 
 # Give test_getsid_yes_t the permission needed.
 allow test_getsid_yes_t test_getsid_target_t:process getsession;
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_inherit.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_inherit.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_inherit.te	(revision 2)
@@ -37,7 +37,7 @@
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(inheritdomain)
-userdom_sysadm_entry_spec_domtrans_to(inheritdomain)
+sysadm_entry_spec_domtrans(inheritdomain)
 
 # Grant the necessary permissions for the parent domain.
 allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms;
@@ -61,4 +61,4 @@
 allow test_inherit_nowrite_t test_inherit_parent_t:fd use;
 allow test_inherit_nowrite_t test_inherit_parent_t:fifo_file rw_file_perms;
 allow test_inherit_nowrite_t test_inherit_parent_t:process sigchld;
-allow test_inherit_nowrite_t test_inherit_file_t:file r_file_perms;
+allow test_inherit_nowrite_t test_inherit_file_t:file read_file_perms;
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getpgid.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getpgid.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getpgid.te	(revision 2)
@@ -25,7 +25,7 @@
 
 # Allow domain to be entered from the sysadm domain
 miscfiles_domain_entry_test_files(test_getpgid_d)
-userdom_sysadm_entry_spec_domtrans_to(test_getpgid_d)
+sysadm_entry_spec_domtrans(test_getpgid_d)
 
 # Give test_getpgid_yes_t the permission needed.
 allow test_getpgid_yes_t test_getpgid_target_t:process getpgid;
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_relabel.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_relabel.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_relabel.te	(revision 2)
@@ -40,5 +40,5 @@
 
 # Allow all of these domains to be entered from sysadm domain
 corecmd_bin_entry_type(test_relabel_domain)
-userdom_sysadm_bin_spec_domtrans_to(test_relabel_domain)
+sysadm_bin_spec_domtrans_to(test_relabel_domain)
 
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_execshare.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_execshare.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_execshare.te	(revision 2)
@@ -25,7 +25,7 @@
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(execsharedomain)
-userdom_sysadm_entry_spec_domtrans_to(execsharedomain)
+sysadm_entry_spec_domtrans(execsharedomain)
 
 # Grant the necessary permissions for the child domain.
 domain_entry_file_spec_domtrans(test_execshare_parent_t, test_execshare_child_t)
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsched.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsched.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsched.te	(revision 2)
@@ -25,7 +25,7 @@
 
 # Allow domain to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(test_getsched_d)
-userdom_sysadm_entry_spec_domtrans_to(test_getsched_d)
+sysadm_entry_spec_domtrans(test_getsched_d)
 
 # Give test_getsched_yes_t the permission needed.
 allow test_getsched_yes_t test_getsched_target_t:process getsched;
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrace.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrace.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrace.te	(revision 2)
@@ -28,7 +28,7 @@
 
 # Allow test_files_t to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(dyntracedomain)
-userdom_sysadm_entry_spec_domtrans_to(dyntracedomain)
+sysadm_entry_spec_domtrans(dyntracedomain)
 miscfiles_exec_test_files(dyntracedomain)
 
 # Grant the necessary permissions for the child domain.
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_ioctl.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_ioctl.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_ioctl.te	(revision 2)
@@ -23,7 +23,6 @@
 
 # Allow execution of helper programs.
 corecmd_exec_bin(ioctldomain)
-corecmd_exec_sbin(ioctldomain)
 domain_exec_all_entry_files(ioctldomain)
 files_exec_etc_files(ioctldomain)
 libs_use_ld_so(ioctldomain)
@@ -34,9 +33,9 @@
 # Allow all of these domains to be entered from sysadm domain
 # via a shell script in the test directory or by....
 miscfiles_domain_entry_test_files(ioctldomain)
-userdom_sysadm_entry_spec_domtrans_to(ioctldomain)
+sysadm_entry_spec_domtrans(ioctldomain)
 corecmd_bin_entry_type(ioctldomain)
-userdom_sysadm_bin_spec_domtrans_to(ioctldomain)
+sysadm_bin_spec_domtrans_to(ioctldomain)
 
 # Allow the test domains some access to the temp file
 allow test_ioctl_t test_ioctl_file_t:file { read getattr setattr ioctl };
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_entrypoint.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_entrypoint.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_entrypoint.te	(revision 2)
@@ -17,5 +17,4 @@
 
 # Allow this domain to be entered via its entrypoint type.
 domain_entry_file(test_entrypoint_t, test_entrypoint_execute_t)
-userdom_sysadm_entry_spec_domtrans_to(test_entrypoint_t)
-
+sysadm_entry_spec_domtrans(test_entrypoint_t)
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_ptrace.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_ptrace.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_ptrace.te	(revision 2)
@@ -27,7 +27,7 @@
 
 # Allow the tracer domain to trace the traced domain.
 allow test_ptrace_tracer_t test_ptrace_traced_t:process ptrace;
-userdom_search_generic_user_home_dirs(test_ptrace_traced_t)
+unprivuser_search_home_dirs(test_ptrace_traced_t)
 
 # Let the tracer wait on the traced domain.
 allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;
@@ -35,4 +35,4 @@
 # Allow all of these domains to be entered from the sysadm domains.
 # via a program in the test directory.
 miscfiles_domain_entry_test_files(ptracedomain)
-userdom_sysadm_entry_spec_domtrans_to(ptracedomain)
+sysadm_entry_spec_domtrans(ptracedomain)
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setpgid.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setpgid.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setpgid.te	(revision 2)
@@ -18,27 +18,28 @@
 typeattribute test_setpgid_no_t test_setpgid_d;
 
 allow test_setpgid_no_t self:process ~{ setpgid setcurrent };
-allow test_setpgid_no_t proc_t:dir r_dir_perms;
+allow test_setpgid_no_t proc_t:dir list_dir_perms;
 allow test_setpgid_no_t proc_t:lnk_file read;
-allow test_setpgid_no_t self:dir r_dir_perms;
-allow test_setpgid_no_t self:notdevfile_class_set r_file_perms;
+allow test_setpgid_no_t self:dir list_dir_perms;
+allow test_setpgid_no_t self:notdevfile_class_set read_file_perms;
 
 libs_use_ld_so(test_setpgid_no_t)
 libs_use_shared_libs(test_setpgid_no_t)
 allow test_setpgid_no_t self:process setexec;
 selinux_get_fs_mount(test_setpgid_no_t)
 
-allow test_setpgid_no_t { root_t bin_t sbin_t lib_t locale_t usr_t devpts_t home_root_t }:dir r_dir_perms;
-allow test_setpgid_no_t lib_t:lnk_file r_file_perms;
+allow test_setpgid_no_t { root_t bin_t sbin_t lib_t locale_t usr_t devpts_t home_root_t }:dir list_dir_perms;
+allow test_setpgid_no_t lib_t:lnk_file read_file_perms;
 allow test_setpgid_no_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
-allow test_setpgid_no_t locale_t:dir r_dir_perms;
-allow test_setpgid_no_t locale_t:{ file lnk_file } r_file_perms;
+allow test_setpgid_no_t locale_t:dir list_dir_perms;
+allow test_setpgid_no_t locale_t:{ file lnk_file } read_file_perms;
 allow test_setpgid_no_t privfd:fd use;
-userdom_use_sysadm_ptys(test_setpgid_no_t)
-userdom_use_sysadm_ttys(test_setpgid_no_t)
+sysadm_use_ptys(test_setpgid_no_t)
+sysadm_use_ttys(test_setpgid_no_t)
 
 # Allow domain to be entered from the sysadm domain.
 role sysadm_r types test_setpgid_d;
 role system_r types test_setpgid_d;
 miscfiles_domain_entry_test_files(test_setpgid_d)
-userdom_sysadm_entry_spec_domtrans_to(test_setpgid_d)
+sysadm_entry_spec_domtrans(test_setpgid_d)
+userdom_entry_spec_domtrans_unpriv_users(test_setpgid_d)
\ No newline at end of file
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setsched.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setsched.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setsched.te	(revision 2)
@@ -26,7 +26,7 @@
 
 # Allow domain to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(test_setsched_d)
-userdom_sysadm_entry_spec_domtrans_to(test_setsched_d)
+sysadm_entry_spec_domtrans(test_setsched_d)
 
 # Allow these domains to execute renice.
 corecmd_bin_entry_type(test_setsched_d)
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_setattr.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_setattr.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_setattr.te	(revision 2)
@@ -27,5 +27,5 @@
 
 # Allow all of these domains to be entered from sysadm domain
 corecmd_bin_entry_type(test_setattr_domain)
-userdom_sysadm_bin_spec_domtrans_to(test_setattr_domain)
+sysadm_bin_spec_domtrans_to(test_setattr_domain)
 
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_transition.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_transition.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_transition.te	(revision 2)
@@ -30,4 +30,4 @@
 allow test_transition_todomain_t test_transition_fromdomain_t:fd use;
 
 # Allow all of these domains to be entered from the sysadm domain.
-userdom_sysadm_entry_spec_domtrans_to(transitiondomain)
+sysadm_entry_spec_domtrans(transitiondomain)
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_net.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_net.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_net.te	(revision 2)
@@ -28,7 +28,7 @@
 corenet_raw_sendrecv_all_nodes(capabledomain)
 corenet_tcp_sendrecv_all_ports(capabledomain)
 corenet_udp_sendrecv_all_ports(capabledomain)
-corenet_non_ipsec_sendrecv(capabledomain)
+corenet_all_recvfrom_unlabeled(capabledomain)
 corenet_tcp_bind_all_nodes(capabledomain)
 corenet_udp_bind_all_nodes(capabledomain)
 sysnet_read_config(capabledomain)
@@ -44,8 +44,8 @@
 allow capabledomain hi_reserved_port_t:tcp_socket name_bind;
 
 # Allow sbin_t to be entered from admin via certain utils.
-corecmd_sbin_entry_type(capabledomain)
-userdom_sysadm_sbin_spec_domtrans_to(capabledomain)
+corecmd_bin_entry_type(capabledomain)
+sysadm_bin_spec_domtrans_to(capabledomain)
 
 require {
 	type ifconfig_exec_t;
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrans.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrans.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrans.te	(revision 2)
@@ -28,5 +28,4 @@
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(dyntransdomain)
-userdom_sysadm_entry_spec_domtrans_to(dyntransdomain)
-
+sysadm_entry_spec_domtrans(dyntransdomain)
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_exectrace.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_exectrace.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_exectrace.te	(revision 2)
@@ -28,7 +28,7 @@
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(exectracedomain)
-userdom_sysadm_entry_spec_domtrans_to(exectracedomain)
+sysadm_entry_spec_domtrans(exectracedomain)
 
 # Grant the necessary permissions for the child domain.
 domain_entry_file_spec_domtrans(test_exectrace_parent_t, test_exectrace_child_t)
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_wait.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_wait.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_wait.te	(revision 2)
@@ -25,7 +25,7 @@
 
 # Allow all of these domains to be entered from the sysadm domain.
 miscfiles_domain_entry_test_files(waitdomain)
-userdom_sysadm_entry_spec_domtrans_to(waitdomain)
+sysadm_entry_spec_domtrans(waitdomain)
 
 # Grant permissions for a domain transition from parent to child,
 # including the ability to wait on the child.
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_execute_no_trans.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_execute_no_trans.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_execute_no_trans.te	(revision 2)
@@ -19,8 +19,8 @@
 
 # Allow this domain to be entered via the shell.
 corecmd_shell_entry_type(test_execute_notrans_t)
-userdom_sysadm_entry_spec_domtrans_to(test_execute_notrans_t)
+sysadm_entry_spec_domtrans(test_execute_notrans_t)
 
 #Allow test_execute_notrans permissions to the allowed type
 can_exec(test_execute_notrans_t,test_execute_notrans_allowed_t)
-allow test_execute_notrans_t test_execute_notrans_denied_t:file rx_file_perms;
+allow test_execute_notrans_t test_execute_notrans_denied_t:file { mmap_file_perms ioctl lock };
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_mkdir.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_mkdir.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_mkdir.te	(revision 2)
@@ -56,4 +56,4 @@
 
 # Allow all of these domains to be entered from sysadm domain
 corecmd_bin_entry_type(test_mkdir_domain)
-userdom_sysadm_bin_spec_domtrans_to(test_mkdir_domain)
+sysadm_bin_spec_domtrans_to(test_mkdir_domain)
Index: ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_rename.te
===================================================================
--- ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_rename.te	(revision 1)
+++ ltp/testcases/kernel/security/selinux-testsuite/refpolicy/test_rename.te	(revision 2)
@@ -103,5 +103,5 @@
 
 # Allow all of these domains to be entered from sysadm domain
 corecmd_bin_entry_type(test_rename_domain)
-userdom_sysadm_bin_spec_domtrans_to(test_rename_domain)
+sysadm_bin_spec_domtrans_to(test_rename_domain)