refpolicy-targeted: rebase patches

rebase patches against latest git sources: * refpolicy-fix-optional-issue-on-sysadm-module.patch * refpolicy-unconfined_u-default-user.patch Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Wenzong Fan <wenzong.fan@windriver.com> 2015-10-27 06:24:54 -0400
committer: Joe MacDonald <joe_macdonald@mentor.com> 2015-11-27 09:18:13 -0500
commit: 4f5fea9bce28f676933ee7b8d00e9b4c65935667 (patch)
tree: a37820ab52d998f71224bac583574629ff430115
parent: 924c55d38e3398e118454ce519adf29d29470a43 (diff)
download: meta-selinux-4f5fea9bce28f676933ee7b8d00e9b4c65935667.tar.gz
2 files changed, 56 insertions, 41 deletions
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
index 44dff5e..2dd8291 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
@@ -10,41 +10,42 @@ So, we could make the minimum policy without sysadm module.
 Upstream-Status: pending
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 ---
 policy/modules/system/init.te       | 14 ++++++++------
 policy/modules/system/locallogin.te |  4 +++-
 2 files changed, 11 insertions(+), 7 deletions(-)
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..4548a7e 100644
+index c058f0c..d710fb0 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -188,12 +188,14 @@ ifdef(`distro_redhat',`
+@@ -292,12 +292,14 @@ ifdef(`init_systemd',`
-        fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
+                modutils_domtrans_insmod(init_t)
+        ')
+ ',`
+-       tunable_policy(`init_upstart',`
+-               corecmd_shell_domtrans(init_t, initrc_t)
+-       ',`
+-               # Run the shell in the sysadm role for single-user mode.
+-               # causes problems with upstart
+-               sysadm_shell_domtrans(init_t)
+       optional_policy(`
+               tunable_policy(`init_upstart',`
+                       corecmd_shell_domtrans(init_t, initrc_t)
+               ',`
+                       # Run the shell in the sysadm role for single-user mode.
+                       # causes problems with upstart
+                       sysadm_shell_domtrans(init_t)
+               ')
+        ')
 ')
 
-tunable_policy(`init_upstart',`
-       corecmd_shell_domtrans(init_t, initrc_t)
-',`
-       # Run the shell in the sysadm role for single-user mode.
-       # causes problems with upstart
-       sysadm_shell_domtrans(init_t)
-+# Run the shell in the sysadm role for single-user mode.
-+# causes problems with upstart
-+optional_policy(`
-+       tunable_policy(`init_upstart',`
-+               corecmd_shell_domtrans(init_t, initrc_t)
-+       ',`
-+               sysadm_shell_domtrans(init_t)
-+       ')
- ')
- 
- optional_policy(`
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index f5a5de7..d942f05 100644
+index 0781eae..ea2493a 100644
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
-@@ -239,7 +239,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -246,7 +246,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
 userdom_search_user_home_dirs(sulogin_t)
 userdom_use_user_ptys(sulogin_t)
 
@@ -56,5 +57,5 @@ index f5a5de7..d942f05 100644
 # suse and debian do not use pam with sulogin...
 ifdef(`distro_suse', `define(`sulogin_no_pam')')
 -- 
-1.7.11.7
+1.9.1
diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
index 51edcd2..ba14851 100644
--- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
+++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
@@ -1,4 +1,4 @@
-refpolicy: make unconfined_u the default selinux user
+Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
 For targeted policy type, we define unconfined_u as the default selinux
 user for root and normal users, so users could login in and run most
@@ -7,18 +7,21 @@ commands and services on unconfined domains.
 Also add rules for users to run init scripts directly, instead of via
 run_init.
-Upstream-Status: Inappropriate [configuration] 
+Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 ---
- config/appconfig-mcs/seusers        |    4 +--
+ config/appconfig-mcs/seusers        |  4 ++--
- policy/modules/roles/sysadm.te      |    1 
+ policy/modules/roles/sysadm.te      |  1 +
- policy/modules/system/init.if       |   47 +++++++++++++++++++++++++++++-------
+ policy/modules/system/init.if       | 47 ++++++++++++++++++++++++++++++-------
- policy/modules/system/unconfined.te |    7 +++++
+ policy/modules/system/unconfined.te |  7 ++++++
- policy/users                        |   16 ++++--------
+ policy/users                        | 16 +++++--------
 5 files changed, 55 insertions(+), 20 deletions(-)
+diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
+index dc5f1e4..4428da8 100644
 --- a/config/appconfig-mcs/seusers
 +++ b/config/appconfig-mcs/seusers
 @@ -1,3 +1,3 @@
@@ -27,6 +30,8 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 -__default__:user_u:s0
 +root:unconfined_u:s0-mcs_systemhigh
 +__default__:unconfined_u:s0
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 005afd8..4699d6a 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t)
@@ -34,12 +39,14 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 init_exec(sysadm_t)
 +init_script_role_transition(sysadm_r)
- 
+ init_get_system_status(sysadm_t)
- # Add/remove user home directories
+ init_disable(sysadm_t)
- userdom_manage_user_home_dirs(sysadm_t)
+ init_enable(sysadm_t)
+diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
+index b68dfc1..35b4141 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
-@@ -825,11 +825,12 @@ interface(`init_script_file_entry_type',
+@@ -1234,11 +1234,12 @@ interface(`init_script_file_entry_type',`
 #
 interface(`init_spec_domtrans_script',`
        gen_require(`
@@ -54,7 +61,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
        ifdef(`distro_gentoo',`
                gen_require(`
-@@ -840,11 +841,11 @@ interface(`init_spec_domtrans_script',`
+@@ -1249,11 +1250,11 @@ interface(`init_spec_domtrans_script',`
        ')
 
        ifdef(`enable_mcs',`
@@ -68,7 +75,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
        ')
 ')
 
-@@ -860,18 +861,19 @@ interface(`init_spec_domtrans_script',`
+@@ -1269,18 +1270,19 @@ interface(`init_spec_domtrans_script',`
 #
 interface(`init_domtrans_script',`
        gen_require(`
@@ -92,9 +99,9 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
        ')
 ')
 
-@@ -1837,3 +1839,32 @@ interface(`init_udp_recvfrom_all_daemons
+@@ -2504,3 +2506,32 @@ interface(`init_reload_all_units',`
-        ')
+ 
-        corenet_udp_recvfrom_labeled($1, daemon)
+        allow $1 systemdunit:service reload;
 ')
 +
 +########################################
@@ -125,6 +132,8 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 +       role_transition $1 init_script_file_type system_r;
 +')
 +
+diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
+index ad23fce..99cab31 100644
 --- a/policy/modules/system/unconfined.te
 +++ b/policy/modules/system/unconfined.te
 @@ -20,6 +20,11 @@ type unconfined_execmem_t;
@@ -139,7 +148,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 ########################################
 #
-@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_hom
+@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f
 ifdef(`direct_sysadm_daemon',`
         optional_policy(`
                 init_run_daemon(unconfined_t, unconfined_r)
@@ -148,6 +157,8 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
         ')
 ',`
         ifdef(`distro_gentoo',`
+diff --git a/policy/users b/policy/users
+index ca20375..ac1ca6c 100644
 --- a/policy/users
 +++ b/policy/users
 @@ -15,7 +15,7 @@
@@ -159,7 +170,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 
 #
 # user_u is a generic user identity for Linux users who have no
-@@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - m
+@@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
@@ -188,3 +199,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 -       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -')
 +gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+-- 
+1.9.1
author	Wenzong Fan <wenzong.fan@windriver.com>	2015-10-27 06:24:54 -0400
committer	Joe MacDonald <joe_macdonald@mentor.com>	2015-11-27 09:18:13 -0500
commit	4f5fea9bce28f676933ee7b8d00e9b4c65935667 (patch)
tree	a37820ab52d998f71224bac583574629ff430115
parent	924c55d38e3398e118454ce519adf29d29470a43 (diff)
download	meta-selinux-4f5fea9bce28f676933ee7b8d00e9b4c65935667.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch index 44dff5e..2dd8291 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
@@ -10,41 +10,42 @@ So, we could make the minimum policy without sysadm module.
10	Upstream-Status: pending	10	Upstream-Status: pending
11		11
12	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>	12	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
		13	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
13	---	14	---
14	policy/modules/system/init.te \| 14 ++++++++------	15	policy/modules/system/init.te \| 14 ++++++++------
15	policy/modules/system/locallogin.te \| 4 +++-	16	policy/modules/system/locallogin.te \| 4 +++-
16	2 files changed, 11 insertions(+), 7 deletions(-)	17	2 files changed, 11 insertions(+), 7 deletions(-)
17		18
18	diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te	19	diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
19	index 4a88fa1..4548a7e 100644	20	index c058f0c..d710fb0 100644
20	--- a/policy/modules/system/init.te	21	--- a/policy/modules/system/init.te
21	+++ b/policy/modules/system/init.te	22	+++ b/policy/modules/system/init.te
22	@@ -188,12 +188,14 @@ ifdef(`distro_redhat',`	23	@@ -292,12 +292,14 @@ ifdef(`init_systemd',`
23	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)	24	modutils_domtrans_insmod(init_t)
		25	')
		26	',`
		27	- tunable_policy(`init_upstart',`
		28	- corecmd_shell_domtrans(init_t, initrc_t)
		29	- ',`
		30	- # Run the shell in the sysadm role for single-user mode.
		31	- # causes problems with upstart
		32	- sysadm_shell_domtrans(init_t)
		33	+ optional_policy(`
		34	+ tunable_policy(`init_upstart',`
		35	+ corecmd_shell_domtrans(init_t, initrc_t)
		36	+ ',`
		37	+ # Run the shell in the sysadm role for single-user mode.
		38	+ # causes problems with upstart
		39	+ sysadm_shell_domtrans(init_t)
		40	+ ')
		41	')
24	')	42	')
25		43
26	-tunable_policy(`init_upstart',`
27	- corecmd_shell_domtrans(init_t, initrc_t)
28	-',`
29	- # Run the shell in the sysadm role for single-user mode.
30	- # causes problems with upstart
31	- sysadm_shell_domtrans(init_t)
32	+# Run the shell in the sysadm role for single-user mode.
33	+# causes problems with upstart
34	+optional_policy(`
35	+ tunable_policy(`init_upstart',`
36	+ corecmd_shell_domtrans(init_t, initrc_t)
37	+ ',`
38	+ sysadm_shell_domtrans(init_t)
39	+ ')
40	')
41
42	optional_policy(`
43	diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te	44	diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
44	index f5a5de7..d942f05 100644	45	index 0781eae..ea2493a 100644
45	--- a/policy/modules/system/locallogin.te	46	--- a/policy/modules/system/locallogin.te
46	+++ b/policy/modules/system/locallogin.te	47	+++ b/policy/modules/system/locallogin.te
47	@@ -239,7 +239,9 @@ userdom_use_unpriv_users_fds(sulogin_t)	48	@@ -246,7 +246,9 @@ userdom_use_unpriv_users_fds(sulogin_t)
48	userdom_search_user_home_dirs(sulogin_t)	49	userdom_search_user_home_dirs(sulogin_t)
49	userdom_use_user_ptys(sulogin_t)	50	userdom_use_user_ptys(sulogin_t)
50		51
@@ -56,5 +57,5 @@ index f5a5de7..d942f05 100644
56	# suse and debian do not use pam with sulogin...	57	# suse and debian do not use pam with sulogin...
57	ifdef(`distro_suse', `define(`sulogin_no_pam')')	58	ifdef(`distro_suse', `define(`sulogin_no_pam')')
58	--	59	--
59	1.7.11.7	60	1.9.1
60		61


diff --git a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch index 51edcd2..ba14851 100644 --- a/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch +++ b/recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
@@ -1,4 +1,4 @@
1	refpolicy: make unconfined_u the default selinux user	1	Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
2		2
3	For targeted policy type, we define unconfined_u as the default selinux	3	For targeted policy type, we define unconfined_u as the default selinux
4	user for root and normal users, so users could login in and run most	4	user for root and normal users, so users could login in and run most
@@ -7,18 +7,21 @@ commands and services on unconfined domains.
7	Also add rules for users to run init scripts directly, instead of via	7	Also add rules for users to run init scripts directly, instead of via
8	run_init.	8	run_init.
9		9
10	Upstream-Status: Inappropriate [configuration]	10	Upstream-Status: Inappropriate [configuration]
11		11
12	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>	12	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>	13	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
		14	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
14	---	15	---
15	config/appconfig-mcs/seusers \| 4 +--	16	config/appconfig-mcs/seusers \| 4 ++--
16	policy/modules/roles/sysadm.te \| 1	17	policy/modules/roles/sysadm.te \| 1 +
17	policy/modules/system/init.if \| 47 +++++++++++++++++++++++++++++-------	18	policy/modules/system/init.if \| 47 ++++++++++++++++++++++++++++++-------
18	policy/modules/system/unconfined.te \| 7 +++++	19	policy/modules/system/unconfined.te \| 7 ++++++
19	policy/users \| 16 ++++--------	20	policy/users \| 16 +++++--------
20	5 files changed, 55 insertions(+), 20 deletions(-)	21	5 files changed, 55 insertions(+), 20 deletions(-)
21		22
		23	diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
		24	index dc5f1e4..4428da8 100644
22	--- a/config/appconfig-mcs/seusers	25	--- a/config/appconfig-mcs/seusers
23	+++ b/config/appconfig-mcs/seusers	26	+++ b/config/appconfig-mcs/seusers
24	@@ -1,3 +1,3 @@	27	@@ -1,3 +1,3 @@
@@ -27,6 +30,8 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
27	-__default__:user_u:s0	30	-__default__:user_u:s0
28	+root:unconfined_u:s0-mcs_systemhigh	31	+root:unconfined_u:s0-mcs_systemhigh
29	+__default__:unconfined_u:s0	32	+__default__:unconfined_u:s0
		33	diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
		34	index 005afd8..4699d6a 100644
30	--- a/policy/modules/roles/sysadm.te	35	--- a/policy/modules/roles/sysadm.te
31	+++ b/policy/modules/roles/sysadm.te	36	+++ b/policy/modules/roles/sysadm.te
32	@@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t)	37	@@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t)
@@ -34,12 +39,14 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
34		39
35	init_exec(sysadm_t)	40	init_exec(sysadm_t)
36	+init_script_role_transition(sysadm_r)	41	+init_script_role_transition(sysadm_r)
37		42	init_get_system_status(sysadm_t)
38	# Add/remove user home directories	43	init_disable(sysadm_t)
39	userdom_manage_user_home_dirs(sysadm_t)	44	init_enable(sysadm_t)
		45	diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
		46	index b68dfc1..35b4141 100644
40	--- a/policy/modules/system/init.if	47	--- a/policy/modules/system/init.if
41	+++ b/policy/modules/system/init.if	48	+++ b/policy/modules/system/init.if
42	@@ -825,11 +825,12 @@ interface(`init_script_file_entry_type',	49	@@ -1234,11 +1234,12 @@ interface(`init_script_file_entry_type',`
43	#	50	#
44	interface(`init_spec_domtrans_script',`	51	interface(`init_spec_domtrans_script',`
45	gen_require(`	52	gen_require(`
@@ -54,7 +61,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
54		61
55	ifdef(`distro_gentoo',`	62	ifdef(`distro_gentoo',`
56	gen_require(`	63	gen_require(`
57	@@ -840,11 +841,11 @@ interface(`init_spec_domtrans_script',`	64	@@ -1249,11 +1250,11 @@ interface(`init_spec_domtrans_script',`
58	')	65	')
59		66
60	ifdef(`enable_mcs',`	67	ifdef(`enable_mcs',`
@@ -68,7 +75,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
68	')	75	')
69	')	76	')
70		77
71	@@ -860,18 +861,19 @@ interface(`init_spec_domtrans_script',`	78	@@ -1269,18 +1270,19 @@ interface(`init_spec_domtrans_script',`
72	#	79	#
73	interface(`init_domtrans_script',`	80	interface(`init_domtrans_script',`
74	gen_require(`	81	gen_require(`
@@ -92,9 +99,9 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
92	')	99	')
93	')	100	')
94		101
95	@@ -1837,3 +1839,32 @@ interface(`init_udp_recvfrom_all_daemons	102	@@ -2504,3 +2506,32 @@ interface(`init_reload_all_units',`
96	')	103
97	corenet_udp_recvfrom_labeled($1, daemon)	104	allow $1 systemdunit:service reload;
98	')	105	')
99	+	106	+
100	+########################################	107	+########################################
@@ -125,6 +132,8 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
125	+ role_transition $1 init_script_file_type system_r;	132	+ role_transition $1 init_script_file_type system_r;
126	+')	133	+')
127	+	134	+
		135	diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
		136	index ad23fce..99cab31 100644
128	--- a/policy/modules/system/unconfined.te	137	--- a/policy/modules/system/unconfined.te
129	+++ b/policy/modules/system/unconfined.te	138	+++ b/policy/modules/system/unconfined.te
130	@@ -20,6 +20,11 @@ type unconfined_execmem_t;	139	@@ -20,6 +20,11 @@ type unconfined_execmem_t;
@@ -139,7 +148,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
139		148
140	########################################	149	########################################
141	#	150	#
142	@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_hom	151	@@ -50,6 +55,8 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_f
143	ifdef(`direct_sysadm_daemon',`	152	ifdef(`direct_sysadm_daemon',`
144	optional_policy(`	153	optional_policy(`
145	init_run_daemon(unconfined_t, unconfined_r)	154	init_run_daemon(unconfined_t, unconfined_r)
@@ -148,6 +157,8 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
148	')	157	')
149	',`	158	',`
150	ifdef(`distro_gentoo',`	159	ifdef(`distro_gentoo',`
		160	diff --git a/policy/users b/policy/users
		161	index ca20375..ac1ca6c 100644
151	--- a/policy/users	162	--- a/policy/users
152	+++ b/policy/users	163	+++ b/policy/users
153	@@ -15,7 +15,7 @@	164	@@ -15,7 +15,7 @@
@@ -159,7 +170,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
159		170
160	#	171	#
161	# user_u is a generic user identity for Linux users who have no	172	# user_u is a generic user identity for Linux users who have no
162	@@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - m	173	@@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
163	# permit any access to such users, then remove this entry.	174	# permit any access to such users, then remove this entry.
164	#	175	#
165	gen_user(user_u, user, user_r, s0, s0)	176	gen_user(user_u, user, user_r, s0, s0)
@@ -188,3 +199,6 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
188	- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)	199	- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
189	-')	200	-')
190	+gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)	201	+gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
		202	--
		203	1.9.1
		204