From c8798fb92cf8cfcc63e8c810721f35151c23342b Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Mon, 17 May 2021 14:10:28 +0800
Subject: [PATCH] roles: move dbus_role_template to
 userdom_common_user_template

After commit cc8374fd24129a2a20669bda2b57d8b029945047 (various: systemd
user fixes and additional support), the dbus_role_template is required
for all roles. Move it to userdom_common_user_template.

Before the patch if set DISTRO=redhat:
root@qemux86-64:~# ps xZ | grep "systemd --user"
root:sysadm_r:sysadm_t  240 ? Ss 0:00 /lib/systemd/systemd --user

After the patch:
root@qemux86-64:~# ps xZ | grep "systemd --user"
root:sysadm_r:sysadm_systemd_t  218 ? Ss 0:00 /lib/systemd/systemd --user

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/roles/auditadm.te    |  4 ----
 policy/modules/roles/secadm.te      |  4 ----
 policy/modules/roles/staff.te       | 18 +++++++-----------
 policy/modules/roles/sysadm.te      | 12 ++++--------
 policy/modules/roles/unprivuser.te  | 18 +++++++-----------
 policy/modules/system/userdomain.if |  9 +++++----
 6 files changed, 23 insertions(+), 42 deletions(-)

diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 12a6ea1a31..e2eb6dc87a 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -39,10 +39,6 @@ optional_policy(`
 	dmesg_exec(auditadm_t)
 ')
 
-optional_policy(`
-	dbus_role_template(auditadm, auditadm_r, auditadm_t)
-')
-
 optional_policy(`
 	screen_role_template(auditadm, auditadm_r, auditadm_t)
 ')
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index 7b77f97491..47a5c919c5 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -48,10 +48,6 @@ optional_policy(`
 	auditadm_role_change(secadm_r)
 ')
 
-optional_policy(`
-	dbus_role_template(secadm, secadm_r, secadm_t)
-')
-
 optional_policy(`
 	dmesg_exec(secadm_t)
 ')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 0665bbe385..324bee6029 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -98,19 +98,15 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		dbus_role_template(staff, staff_r, staff_t)
-
-		optional_policy(`
-			gnome_role_template(staff, staff_r, staff_t)
-		')
+		gnome_role_template(staff, staff_r, staff_t)
+	')
 
-		optional_policy(`
-			telepathy_role_template(staff, staff_r, staff_t)
-		')
+	optional_policy(`
+		telepathy_role_template(staff, staff_r, staff_t)
+	')
 
-		optional_policy(`
-			wm_role_template(staff, staff_r, staff_t)
-		')
+	optional_policy(`
+		wm_role_template(staff, staff_r, staff_t)
 	')
 
 	optional_policy(`
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4254751a10..b869d772a5 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1222,15 +1222,11 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		dbus_role_template(sysadm, sysadm_r, sysadm_t)
-
-		optional_policy(`
-			gnome_role_template(sysadm, sysadm_r, sysadm_t)
-		')
+		gnome_role_template(sysadm, sysadm_r, sysadm_t)
+	')
 
-		optional_policy(`
-			wm_role_template(sysadm, sysadm_r, sysadm_t)
-		')
+	optional_policy(`
+		wm_role_template(sysadm, sysadm_r, sysadm_t)
 	')
 
 	optional_policy(`
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index e773ee44d1..52651f765a 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -62,19 +62,15 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		dbus_role_template(user, user_r, user_t)
-
-		optional_policy(`
-			gnome_role_template(user, user_r, user_t)
-		')
+		gnome_role_template(user, user_r, user_t)
+	')
 
-		optional_policy(`
-			telepathy_role_template(user, user_r, user_t)
-		')
+	optional_policy(`
+		telepathy_role_template(user, user_r, user_t)
+	')
 
-		optional_policy(`
-			wm_role_template(user, user_r, user_t)
-		')
+	optional_policy(`
+		wm_role_template(user, user_r, user_t)
 	')
 
 	optional_policy(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 48e549e8d0..66806a4c4e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -729,6 +729,7 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
+		dbus_role_template($1, $1_r, $1_t)
 		dbus_system_bus_client($1_t)
 
 		optional_policy(`
@@ -767,6 +768,10 @@ template(`userdom_common_user_template',`
 		optional_policy(`
 			xserver_dbus_chat_xdm($1_t)
 		')
+
+		optional_policy(`
+			systemd_role_template($1, $1_r, $1_t)
+		')
 	')
 
 	optional_policy(`
@@ -868,10 +873,6 @@ template(`userdom_common_user_template',`
 		slrnpull_search_spool($1_t)
 	')
 
-	optional_policy(`
-		systemd_role_template($1, $1_r, $1_t)
-	')
-
 	optional_policy(`
 		udev_read_runtime_files($1_t)
 	')