[selinux-policy: 240/3172] move user_u and root to users

[Daniel J Walsh]

commit 2fc84fd172d9bbf221740ed7bbb9d55e1fafd6f4
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Jun 1 17:40:22 2005 +0000

    move user_u and root to users

 refpolicy/config/local.users |    4 ----
 refpolicy/policy/users       |   18 ++++++++++++++++++
 2 files changed, 18 insertions(+), 4 deletions(-)
---
diff --git a/refpolicy/config/local.users b/refpolicy/config/local.users
index 887f6f7..7e2bf7a 100644
--- a/refpolicy/config/local.users
+++ b/refpolicy/config/local.users
@@ -14,10 +14,6 @@
 # The MLS default level and allowed range should only be specified if 
 # MLS was enabled in the policy.
 
-user user_u roles { user_r };
-
-user root roles { sysadm_r staff_r };
-
 # sample for administrative user
 # user jadmin roles { staff_r sysadm_r };
 
diff --git a/refpolicy/policy/users b/refpolicy/policy/users
index a7a51b1..bb9d37b 100644
--- a/refpolicy/policy/users
+++ b/refpolicy/policy/users
@@ -11,3 +11,21 @@
 # identity.
 #
 user system_u roles system_r user_mls(s0,s0 - s9:c0.c127);
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined.  The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user.  If you do not want to
+# permit any access to such users, then remove this entry.
+#
+user user_u roles { user_r } user_mls(s0,s0 - s9:c0.c127);
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+user root roles { sysadm_r staff_r } user_mls(s0,s0 - s9:c0.c127);