From f657cb14e596de232532222edaa76d9a7a105c40 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 3 Dec 2008 20:16:08 +0000
Subject: [PATCH] trunk: fix role change constraint.

---
 policy/constraints | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/constraints b/policy/constraints
index 47ada8d0f..3245d4493 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -98,10 +98,10 @@ constrain process { transition noatsecure siginh rlimitinh }
 
 constrain process { transition noatsecure siginh rlimitinh }
 (
-	r1 == r2
-	or ( t1 == can_change_process_identity and t2 == process_user_target )
-	or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
-	or ( t1 == can_system_change and u2 == system_u )
+	r1 == r2 
+	or ( t1 == can_change_process_role and t2 == process_user_target )
+   	or ( t1 == cron_source_domain and t2 == cron_job_domain )
+	or ( t1 == can_system_change and r2 == system_r )
 	or ( t1 == process_uncond_exempt )
 );