From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 9 Oct 2012 10:00:21 -0400
Subject: [refpolicy] [PATCH] Add system_r role to unconfined_u and
 staff_u users
In-Reply-To: <20121008232132.15ade879@fornost.bigon.be>
References: <1348320092-15953-1-git-send-email-bigon@debian.org>
	<20121008232132.15ade879@fornost.bigon.be>
Message-ID: <50742DF5.6010402@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/08/12 17:21, Laurent Bigonville wrote:
> Le Sat, 22 Sep 2012 15:21:32 +0200,
> Laurent Bigonville <bigon@debian.org> a ??crit :
> 
>> From: Laurent Bigonville <bigon@bigon.be>
>>
>> This is necessary for at least pulseaudio and libvirtd running in the
>> user session.
>> ---
>>  policy/users |    4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/policy/users b/policy/users
>> index c4ebc7e..8d13fbc 100644
>> --- a/policy/users
>> +++ b/policy/users
>> @@ -25,11 +25,11 @@ gen_user(system_u,, system_r, s0, s0 -
>> mls_systemhigh, mcs_allcats) # permit any access to such users, then
>> remove this entry. #
>>  gen_user(user_u, user, user_r, s0, s0)
>> -gen_user(staff_u, staff, staff_r sysadm_r
>> ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh,
>> mcs_allcats) +gen_user(staff_u, staff, staff_r sysadm_r system_r
>> ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh,
>> mcs_allcats) gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 -
>> mls_systemhigh, mcs_allcats) # Until order dependence is fixed for
>> users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 -
>> mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, unconfined,
>> unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) #
>>  # The following users correspond to Unix identities.
> 
> Any thoughts on that patch?

The patch would need to be updated to be controlled by the direct_sysadm_daemon build option, as it is with the root seuser.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com