[selinux-policy: 949/3172] work around role dominance breakage in module compiler

[Daniel J Walsh]

commit 3797efb0ce61291ccb8bc5f408f9d6e7876d49e8
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Nov 10 20:37:31 2005 +0000

    work around role dominance breakage in module compiler

 refpolicy/policy/modules/system/domain.if     |    8 ++++++++
 refpolicy/policy/modules/system/userdomain.te |    8 ++++----
 2 files changed, 12 insertions(+), 4 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index b21d713..5087953 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -45,6 +45,14 @@ interface(`domain_base_type',`
 		tunable_policy(`allow_execmem',`
 			allow $1 self:process execmem;
 		')
+
+		# FIXME:
+		# hack until role dominance is fixed in
+		# the module compiler
+		role secadm_r types $1;
+		role sysadm_r types $1;
+		role user_r types $1;
+		role staff_r types $1;
 	')
 ')
 
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 6b0f0b4..d56c649 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -65,10 +65,10 @@ ifdef(`targeted_policy',`
 	fs_associate_tmpfs(user_home_dir_t)
 
 	# compatibility for switching from strict
-	dominance { role secadm_r { role system_r; }}
-	dominance { role sysadm_r { role system_r; }}
-	dominance { role user_r { role system_r; }}
-	dominance { role staff_r { role system_r; }}
+#	dominance { role secadm_r { role system_r; }}
+#	dominance { role sysadm_r { role system_r; }}
+#	dominance { role user_r { role system_r; }}
+#	dominance { role staff_r { role system_r; }}
 
 	# dont need to use the full role_change()
 	allow sysadm_r system_r;