userdom_base_user_template: Define role corresponding to the new user

The template creates a new SELinux user, but requires the corresponding role, meaning that the policy utilizing the interface needs to look as follos to work: role <user>_r; userdom_base_user_template(<user>) This also breaks the policy generated by sepolicy generate --term_user -n <user> Signed-off-by: Vit Mojzis <[email protected]>
fedora-selinux · May 26, 2023 · e0b8c4d · e0b8c4d
1 parent 62082b4
commit e0b8c4d
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
@@ -27,7 +27,6 @@ template(`userdom_base_user_template',`
 		attribute userdomain;
 		type user_devpts_t, user_tty_device_t;
 		class context contains;
-		role $1_r;
 	')
 
 	attribute $1_file_type;
@@ -39,6 +38,7 @@ template(`userdom_base_user_template',`
 	corecmd_bin_entry_type($1_t)
 	domain_user_exemption_target($1_t)
 	ubac_constrained($1_t)
+	role $1_r;
 	role $1_r types $1_t;
 	allow system_r $1_r;