From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 9 Oct 2012 21:01:08 +0200 Subject: [refpolicy] [PATCH] Add system_r role to unconfined_u and staff_u users In-Reply-To: <20121009205718.4ada847d@fornost.bigon.be> References: <1348320092-15953-1-git-send-email-bigon@debian.org> <20121008232132.15ade879@fornost.bigon.be> <50742DF5.6010402@tresys.com> <20121009205718.4ada847d@fornost.bigon.be> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Oct 9, 2012 at 8:57 PM, Laurent Bigonville wrote: > Also I've added the system_r role to the staff_u to be consistant (and > because it's also done in the Fedora policy) It also makes sense the moment you use init scripts that are "named" for a specific service, like nscd_initrc_exec_t. For a user to be able to use this, he needs to be granted the *_admin() towards his user domain, but also the system_r role to the SELinux user itself (otherwise this won't work)). Wkr, Sven Vermeulen