unconfined: clarify unconfined_t stub usage in unconfined_domain_noaudit()

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

policy/modules/system/unconfined.if

@@ -1,5 +1,21 @@
 ## <summary>The unconfined domain.</summary>
 
+########################################
+## <summary>
+##	Unconfined stub interface.  No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_stub',`
+	gen_require(`
+		type unconfined_t;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Make the specified domain unconfined.
@@ -12,13 +28,14 @@
 #
 interface(`unconfined_domain_noaudit',`
 	gen_require(`
-		type unconfined_t;
 		class dbus all_dbus_perms;
 		class nscd all_nscd_perms;
 		class passwd all_passwd_perms;
 		class service all_service_perms;
 	')
 
+	unconfined_stub($1)
+
 	# Use most Linux capabilities
 	allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
 	allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm };