From: dominick.grift@gmail.com (Dominick Grift) Date: Sat, 9 Nov 2013 10:45:06 +0100 Subject: [refpolicy] [PATCH 25/39] users: move the unconfined_u user statement to the unconfined module (if possible) so that it will be removed if the unconfined module is disabled, or removed In-Reply-To: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com> References: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com> Message-ID: <1383990320-3340-25-git-send-email-dominick.grift@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Dominick Grift --- policy/modules/system/unconfined.te | 6 ++++++ policy/users | 7 ------- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 28a2188..4e4a4c5 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -213,3 +213,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) optional_policy(` unconfined_dbus_chat(unconfined_execmem_t) ') + +ifdef(`direct_sysadm_daemon',` + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +',` + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +') diff --git a/policy/users b/policy/users index 5db8cf4..25402af 100644 --- a/policy/users +++ b/policy/users @@ -28,13 +28,6 @@ gen_user(user_u, user, user_r, s0, s0) gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) -# Until order dependence is fixed for users: -ifdef(`direct_sysadm_daemon',` - gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -',` - gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) -') - # # The following users correspond to Unix identities. # These identities are typically assigned as the user attribute -- 1.8.3.1