From: dwalsh@redhat.com (Daniel J Walsh)
Date: Wed, 17 Feb 2010 10:54:44 -0500
Subject: [refpolicy] roles_staff.patch
Message-ID: <4B7C1144.9020105@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_staff.patch
http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_unprivuser.patch
http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_sysadm.patch

Updated patches including ifndef redhat to remove all the old cruft caused by the per_role_template in ancient policy.


staff - Add setexec so it can use sandbox

Allow it to read kernel state.
Allow it to use rtkit

Lots of real world access required by staff_usertype.

Also allow staff_t to transition to unconfined_t through sudo.