From 60e9557d283556ef18ac8ffc2f602ff8fdf0a781 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Wed, 7 Dec 2011 12:00:34 -0500
Subject: [PATCH] Unconfined_t needs to transition to useradd_t and useradd_t
 needs to be able to manage selinux policy

---
 policy/modules/admin/usermanage.te     | 8 +-------
 policy/modules/roles/unconfineduser.te | 4 ++++
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 6bcfc8ce..9f133b50 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -479,13 +479,7 @@ fs_getattr_xattr_fs(useradd_t)
 mls_file_upgrade(useradd_t)
 mls_process_read_to_clearance(useradd_t)
 
-# Allow access to context for shadow file
-selinux_get_fs_mount(useradd_t)
-selinux_validate_context(useradd_t)
-selinux_compute_access_vector(useradd_t)
-selinux_compute_create_context(useradd_t)
-selinux_compute_relabel_context(useradd_t)
-selinux_compute_user_contexts(useradd_t)
+seutil_semanage_policy(useradd_t)
 
 term_use_all_inherited_terms(useradd_t)
 term_getattr_all_ptys(useradd_t)
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 90af1575..692ef0d7 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -350,6 +350,10 @@ optional_policy(`
 	sysnet_role_transition_dhcpc(unconfined_r)
 ')
 
+optional_policy(`
+	usermanage_run_useradd(unconfined_t, unconfined_r)
+')
+
 optional_policy(`
 	vbetool_run(unconfined_t, unconfined_r)
 ')
-- 
2.47.3