From 37c85212a162b7f305fd570fa845b2959999834e Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 10 Nov 2005 16:55:56 +0000
Subject: [PATCH] use role dominance in targeted for compatability with strict

---
 refpolicy/policy/modules/system/unconfined.if | 16 ----------------
 refpolicy/policy/modules/system/unconfined.te |  8 ++++++++
 refpolicy/policy/modules/system/userdomain.te |  3 ---
 3 files changed, 8 insertions(+), 19 deletions(-)

diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 23a7b97fb..6e12ad12a 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -246,22 +246,6 @@ interface(`unconfined_dontaudit_rw_tcp_socket',`
 	dontaudit $1 unconfined_t:tcp_socket { read write };
 ')
 
-########################################
-## <summary>
-##	Add the unconfined domain to the specified role.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`unconfined_role',`
-	gen_require(`
-		type unconfined_t;
-	')
-
-	role $1 types unconfined_t;
-')
-
 ########################################
 ## <summary>
 ##	Add an alias type to the unconfined domain.
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index ce40afbe8..486a30d50 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -25,6 +25,12 @@ unconfined_domain_template(unconfined_t)
 logging_send_syslog_msg(unconfined_t)
 
 ifdef(`targeted_policy',`
+	# compatibility for switching from strict
+	dominance { role secadm_r { role system_r; }}
+	dominance { role sysadm_r { role system_r; }}
+	dominance { role user_r { role system_r; }}
+	dominance { role staff_r { role system_r; }}
+
 	allow unconfined_t self:system syslog_read;
 	dontaudit unconfined_t self:capability sys_module;
 
@@ -120,5 +126,7 @@ ifdef(`targeted_policy',`
 	')
 
 	') dnl end TODO
+
+	# FIXME:
 	typeattribute unconfined_t direct_run_init;
 ')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index a108cbdae..03861f307 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -64,9 +64,6 @@ ifdef(`targeted_policy',`
 	files_associate_tmp(user_home_dir_t)
 	fs_associate_tmpfs(user_home_dir_t)
 
-	unconfined_role(user_r)
-	unconfined_role(sysadm_r)
-
 	# dont need to use the full role_change()
 	allow sysadm_r system_r;
 	allow sysadm_r user_r;