Subject: [PATCH] refpolicy: fix optional issue on sysadm module init and locallogin modules have a depend for sysadm module because they have called sysadm interfaces(sysadm_shell_domtrans). Since sysadm is not a core module, we could make the sysadm_shell_domtrans calls optionally by optional_policy. So, we could make the minimum policy without sysadm module. Upstream-Status: pending Signed-off-by: Xin Ouyang Signed-off-by: Wenzong Fan Signed-off-by: Joe MacDonald --- policy/modules/system/init.te | 14 ++++++++------ policy/modules/system/locallogin.te | 4 +++- 2 files changed, 11 insertions(+), 7 deletions(-) --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -344,17 +344,19 @@ ifdef(`init_systemd',` optional_policy(` modutils_domtrans(init_t) ') ',` - tunable_policy(`init_upstart',` - corecmd_shell_domtrans(init_t, initrc_t) - ',` - # Run the shell in the sysadm role for single-user mode. - # causes problems with upstart - ifndef(`distro_debian',` - sysadm_shell_domtrans(init_t) + optional_policy(` + tunable_policy(`init_upstart',` + corecmd_shell_domtrans(init_t, initrc_t) + ',` + # Run the shell in the sysadm role for single-user mode. + # causes problems with upstart + ifndef(`distro_debian',` + sysadm_shell_domtrans(init_t) + ') ') ') ') ifdef(`distro_debian',` --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -260,11 +260,13 @@ seutil_read_default_contexts(sulogin_t) userdom_use_unpriv_users_fds(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) -sysadm_shell_domtrans(sulogin_t) +optional_policy(` + sysadm_shell_domtrans(sulogin_t) +') # by default, sulogin does not use pam... # sulogin_pam might need to be defined otherwise ifdef(`sulogin_pam', ` selinux_get_fs_mount(sulogin_t)