Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976)

[zpytela]

Scratchbuild seems to work:
Before:

# sesearch --dontaudit -s systemd_tmpfiles_t -c file -ds
dontaudit systemd_tmpfiles_t systemd_tmpfiles_t:file create;

After:

# sesearch --dontaudit -s systemd_tmpfiles_t -c file -ds
dontaudit systemd_tmpfiles_t file_type:file getattr;
dontaudit systemd_tmpfiles_t systemd_tmpfiles_t:file create;

[wrabcak]

Hi @zpytela ,

Based on rhbz#1772976, you're trying to dontaudit this rule:
dontaudit systemd_tmpfiles_t sysctl_vm_t:file getattr by using macro where file_type attribute is used. BUT sysctl_vm_t is not part of this attribute.

# seinfo -xafile_type | grep sysctl_vm_t
# 

So it fixes the issue for another bugzillas, but not for rhbz#1772976.

[zpytela]

Looks like incorrect acceptance criteria, thank you for catching that. Current state:

# sesearch --dontaudit -s systemd_tmpfiles_t -t sysctl_vm_t -c file -p getattr
dontaudit systemd_tmpfiles_t sysctl_type:file getattr;

# sesearch --dontaudit -s systemd_tmpfiles_t -c file -ds
dontaudit systemd_tmpfiles_t file_type:file getattr;
dontaudit systemd_tmpfiles_t filesystem_type:file getattr;
dontaudit systemd_tmpfiles_t proc_type:file getattr;
dontaudit systemd_tmpfiles_t sysctl_type:file getattr;
dontaudit systemd_tmpfiles_t systemd_tmpfiles_t:file create;

Note device_node is not a part of the list as I was not able to find such a file in sosreport.

Requesting review.

[wrabcak]

LGTM.
Thanks.