From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 27 Apr 2015 20:55:18 +0200
Subject: [refpolicy] [PATCH] Role type statements no longer declare the
 role
In-Reply-To: <20150427180534.GA27157@x131e>
References: <1430157783-27471-1-git-send-email-dac.override@gmail.com>
	<20150427180534.GA27157@x131e>
Message-ID: <20150427185518.GA8291@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Apr 27, 2015 at 08:05:35PM +0200, Dominick Grift wrote:
> On Mon, Apr 27, 2015 at 08:03:03PM +0200, Dominick Grift wrote:
> > Back in the older days, role type statements automatically declared the role. This was later changed.
> > 
> > I expect that these macro date from that period and that they should be updated to declare the role.
> 
> This is just a RFC patch. its untested and the indent is not conform refpolicy style rules
> 
> just want to hear opinions

I think I'm okay with the suggestion. At first I was wondering if it is more of
cosmetic nature than actually necessary, but then I found that kernel.te
is declaring the basic roles already as well, and that I had declared the
role specifically in some other modules that I'm using.

Do you think the default role declarations in kernel.te can be dismissed if
your change is put through, or is the declaration of sysadm_r, staff_r, user_r
and unconfined_r in kernel.te needed due to other dependencies?

I can confirm that a duplicate role declaration does not seem to give any
issues on 2.3 and 2.4 userspace, so the above question doesn't need to be
answered before going forward with the change.

Wkr,
        Sven Vermeulen