From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 9 Oct 2012 21:01:08 +0200
Subject: [refpolicy] [PATCH] Add system_r role to unconfined_u and
	staff_u users
In-Reply-To: <20121009205718.4ada847d@fornost.bigon.be>
References: <1348320092-15953-1-git-send-email-bigon@debian.org>
	<20121008232132.15ade879@fornost.bigon.be>
	<50742DF5.6010402@tresys.com>
	<20121009205718.4ada847d@fornost.bigon.be>
Message-ID: <CAPzO=Nz02wsJV-GnKyQgUayV5NYa5=UCJE=7qVRmRiwt=a_EzA@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Oct 9, 2012 at 8:57 PM, Laurent Bigonville <bigon@debian.org> wrote:
> Also I've added the system_r role to the staff_u to be consistant (and
> because it's also done in the Fedora policy)

It also makes sense the moment you use init scripts that are "named"
for a specific service, like nscd_initrc_exec_t. For a user to be able
to use this, he needs to be granted the *_admin() towards his user
domain, but also the system_r role to the SELinux user itself
(otherwise this won't work)).

Wkr,
  Sven Vermeulen