diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 486a30d..4a2fdc0 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -25,12 +25,6 @@ unconfined_domain_template(unconfined_t) logging_send_syslog_msg(unconfined_t) ifdef(`targeted_policy',` - # compatibility for switching from strict - dominance { role secadm_r { role system_r; }} - dominance { role sysadm_r { role system_r; }} - dominance { role user_r { role system_r; }} - dominance { role staff_r { role system_r; }} - allow unconfined_t self:system syslog_read; dontaudit unconfined_t self:capability sys_module; diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 03861f3..6b0f0b4 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -64,6 +64,12 @@ ifdef(`targeted_policy',` files_associate_tmp(user_home_dir_t) fs_associate_tmpfs(user_home_dir_t) + # compatibility for switching from strict + dominance { role secadm_r { role system_r; }} + dominance { role sysadm_r { role system_r; }} + dominance { role user_r { role system_r; }} + dominance { role staff_r { role system_r; }} + # dont need to use the full role_change() allow sysadm_r system_r; allow sysadm_r user_r;