From: Dan Walsh <dwalsh@redhat.com>
Date: Wed, 7 Dec 2011 17:00:34 +0000 (-0500)
Subject: Unconfined_t needs to transition to useradd_t and useradd_t needs to be able to manag... 
X-Git-Tag: 000~32
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=60e9557d283556ef18ac8ffc2f602ff8fdf0a781;p=people%2Fstevee%2Fselinux-policy.git

Unconfined_t needs to transition to useradd_t and useradd_t needs to be able to manage selinux policy
---

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 6bcfc8ce..9f133b50 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -479,13 +479,7 @@ fs_getattr_xattr_fs(useradd_t)
 mls_file_upgrade(useradd_t)
 mls_process_read_to_clearance(useradd_t)
 
-# Allow access to context for shadow file
-selinux_get_fs_mount(useradd_t)
-selinux_validate_context(useradd_t)
-selinux_compute_access_vector(useradd_t)
-selinux_compute_create_context(useradd_t)
-selinux_compute_relabel_context(useradd_t)
-selinux_compute_user_contexts(useradd_t)
+seutil_semanage_policy(useradd_t)
 
 term_use_all_inherited_terms(useradd_t)
 term_getattr_all_ptys(useradd_t)
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 90af1575..692ef0d7 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -350,6 +350,10 @@ optional_policy(`
 	sysnet_role_transition_dhcpc(unconfined_r)
 ')
 
+optional_policy(`
+	usermanage_run_useradd(unconfined_t, unconfined_r)
+')
+
 optional_policy(`
 	vbetool_run(unconfined_t, unconfined_r)
 ')