[selinux-policy: 945/3172] use role dominance in targeted for compatability with strict

[Daniel J Walsh]

commit 37c85212a162b7f305fd570fa845b2959999834e
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Nov 10 16:55:56 2005 +0000

    use role dominance in targeted for compatability with strict

 refpolicy/policy/modules/system/unconfined.if |   16 ----------------
 refpolicy/policy/modules/system/unconfined.te |    8 ++++++++
 refpolicy/policy/modules/system/userdomain.te |    3 ---
 3 files changed, 8 insertions(+), 19 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 23a7b97..6e12ad1 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -248,22 +248,6 @@ interface(`unconfined_dontaudit_rw_tcp_socket',`
 
 ########################################
 ## <summary>
-##	Add the unconfined domain to the specified role.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`unconfined_role',`
-	gen_require(`
-		type unconfined_t;
-	')
-
-	role $1 types unconfined_t;
-')
-
-########################################
-## <summary>
 ##	Add an alias type to the unconfined domain.
 ## </summary>
 ## <desc>
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index ce40afb..486a30d 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -25,6 +25,12 @@ unconfined_domain_template(unconfined_t)
 logging_send_syslog_msg(unconfined_t)
 
 ifdef(`targeted_policy',`
+	# compatibility for switching from strict
+	dominance { role secadm_r { role system_r; }}
+	dominance { role sysadm_r { role system_r; }}
+	dominance { role user_r { role system_r; }}
+	dominance { role staff_r { role system_r; }}
+
 	allow unconfined_t self:system syslog_read;
 	dontaudit unconfined_t self:capability sys_module;
 
@@ -120,5 +126,7 @@ ifdef(`targeted_policy',`
 	')
 
 	') dnl end TODO
+
+	# FIXME:
 	typeattribute unconfined_t direct_run_init;
 ')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index a108cbd..03861f3 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -64,9 +64,6 @@ ifdef(`targeted_policy',`
 	files_associate_tmp(user_home_dir_t)
 	fs_associate_tmpfs(user_home_dir_t)
 
-	unconfined_role(user_r)
-	unconfined_role(sysadm_r)
-
 	# dont need to use the full role_change()
 	allow sysadm_r system_r;
 	allow sysadm_r user_r;