Unconfined_t needs to transition to useradd_t and useradd_t needs to be able to manag...

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 6bcfc8cebe3d86df107ae31658640afc458706b7..9f133b50637eaf5eba3a86b7764fa8cbbb259b05 100644 (file)
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -479,13 +479,7 @@ fs_getattr_xattr_fs(useradd_t)
 mls_file_upgrade(useradd_t)
 mls_process_read_to_clearance(useradd_t)
 
-# Allow access to context for shadow file
-selinux_get_fs_mount(useradd_t)
-selinux_validate_context(useradd_t)
-selinux_compute_access_vector(useradd_t)
-selinux_compute_create_context(useradd_t)
-selinux_compute_relabel_context(useradd_t)
-selinux_compute_user_contexts(useradd_t)
+seutil_semanage_policy(useradd_t)
 
 term_use_all_inherited_terms(useradd_t)
 term_getattr_all_ptys(useradd_t)

diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 90af1575521b5ac14e49232d77829c2e0f21bc91..692ef0d7a39ca980030e36780c305ed55400207f 100644 (file)
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -350,6 +350,10 @@ optional_policy(`
        sysnet_role_transition_dhcpc(unconfined_r)
 ')
 
+optional_policy(`
+       usermanage_run_useradd(unconfined_t, unconfined_r)
+')
+
 optional_policy(`
        vbetool_run(unconfined_t, unconfined_r)
 ')