From: bigon@debian.org (Laurent Bigonville)
Date: Tue, 9 Oct 2012 20:57:18 +0200
Subject: [refpolicy] [PATCH] Add system_r role to unconfined_u and
 staff_u users
In-Reply-To: <50742DF5.6010402@tresys.com>
References: <1348320092-15953-1-git-send-email-bigon@debian.org>
	<20121008232132.15ade879@fornost.bigon.be>
	<50742DF5.6010402@tresys.com>
Message-ID: <20121009205718.4ada847d@fornost.bigon.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Le Tue, 9 Oct 2012 10:00:21 -0400,
"Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :

> On 10/08/12 17:21, Laurent Bigonville wrote:
> > 
> > Any thoughts on that patch?
> 
> The patch would need to be updated to be controlled by the
> direct_sysadm_daemon build option, as it is with the root seuser.
> 

My initial issue was that when dbus was starting pulseaudio and libvirt,
logged-in using my unconfined user, it was trying to transition the
process to unconfined_u:system_r:{pulseaudio_t,virtd_t} and it was
exploding as the label was invalid.

So if the policy is compiled without direct_sysadm_daemon I guess that
this issue will persist.

Also I've added the system_r role to the staff_u to be consistant (and
because it's also done in the Fedora policy)

Laurent Bigonville