Blob Blame Raw
commit f53f820fe366940d4fdecaef80de4e5b1178fac6
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Jun 7 01:38:59 2012 +0200

    roleattribute patch

diff --git a/livecd.if b/livecd.if
index bfbf676..fb7869e 100644
--- a/livecd.if
+++ b/livecd.if
@@ -38,12 +38,19 @@ interface(`livecd_run',`
 	gen_require(`
 		type livecd_t;
 		type livecd_exec_t;
-		attribute_role livecd_roles;
+		#attribute_role livecd_roles;
 	')
 
 	livecd_domtrans($1)
-	roleattribute $2 livecd_roles;
+	#roleattribute $2 livecd_roles;
+	role $2 types livecd_t;
 	role_transition $2 livecd_exec_t system_r;
+
+        seutil_run_setfiles_mac(livecd_t, system_r)
+
+        optional_policy(`
+                mount_run(livecd_t, $2)
+        ')
 ')
 
 ########################################
diff --git a/livecd.te b/livecd.te
index 65efdae..7a944b5 100644
--- a/livecd.te
+++ b/livecd.te
@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0)
 # Declarations
 #
 
-attribute_role livecd_roles;
-roleattribute system_r livecd_roles;
+#attribute_role livecd_roles;
+#roleattribute system_r livecd_roles;
 
 type livecd_t;
 type livecd_exec_t;
 application_domain(livecd_t, livecd_exec_t)
-role livecd_roles types livecd_t;
+role system_r types livecd_t;
+#role livecd_roles types livecd_t;
 
 type livecd_tmp_t;
 files_tmp_file(livecd_tmp_t)
@@ -35,10 +36,10 @@ term_filetrans_all_named_dev(livecd_t)
 
 sysnet_filetrans_named_content(livecd_t)
 
-optional_policy(`
-	mount_run(livecd_t, livecd_roles)
-	seutil_run_setfiles_mac(livecd_t, livecd_roles)
-')
+#optional_policy(`
+#	mount_run(livecd_t, livecd_roles)
+#	seutil_run_setfiles_mac(livecd_t, livecd_roles)
+#')
 
 optional_policy(`
 	ssh_filetrans_admin_home_content(livecd_t)
diff --git a/mozilla.if b/mozilla.if
index 30b0241..30bfefb 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -18,10 +18,11 @@
 interface(`mozilla_role',`
 	gen_require(`
 		type mozilla_t, mozilla_exec_t, mozilla_home_t;
-		attribute_role mozilla_roles;
+		#attribute_role mozilla_roles;
 	')
 
-	roleattribute $1 mozilla_roles;
+	#roleattribute $1 mozilla_roles;
+	role $1 types mozilla_t;
 
 	domain_auto_trans($2, mozilla_exec_t, mozilla_t)
 	# Unrestricted inheritance from the caller.
@@ -47,6 +48,8 @@ interface(`mozilla_role',`
 	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
 	relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
 
+	#should be remove then with adding of roleattribute
+	mozilla_run_plugin(mozilla_t, $1)
 	mozilla_dbus_chat($2)
 
 	userdom_manage_tmp_role($1, mozilla_t)
@@ -63,7 +66,6 @@ interface(`mozilla_role',`
 
 	mozilla_filetrans_home_content($2)
 
-	mozilla_dbus_chat($2)
 ')
 
 ########################################
diff --git a/mozilla.te b/mozilla.te
index 7bf56bf..56700a4 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -19,14 +19,15 @@ gen_tunable(mozilla_read_content, false)
 ## </desc>
 gen_tunable(mozilla_plugin_enable_homedirs, false)
 
-attribute_role mozilla_roles;
+#attribute_role mozilla_roles;
 
 type mozilla_t;
 type mozilla_exec_t;
 typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
 typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
 userdom_user_application_domain(mozilla_t, mozilla_exec_t)
-role mozilla_roles types mozilla_t;
+#role mozilla_roles types mozilla_t;
+role system_r types mozilla_t;
 
 type mozilla_conf_t;
 files_config_file(mozilla_conf_t)
@@ -39,7 +40,8 @@ userdom_user_home_content(mozilla_home_t)
 type mozilla_plugin_t;
 type mozilla_plugin_exec_t;
 application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
-role mozilla_roles types mozilla_plugin_t;
+#role mozilla_roles types mozilla_plugin_t;
+role system_r types mozilla_plugin_t;
 
 type mozilla_plugin_tmp_t;
 userdom_user_tmp_content(mozilla_plugin_tmp_t)
@@ -55,7 +57,8 @@ files_type(mozilla_plugin_rw_t)
 type mozilla_plugin_config_t;
 type mozilla_plugin_config_exec_t;
 application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
-role mozilla_roles types mozilla_plugin_config_t;
+#role mozilla_roles types mozilla_plugin_config_t;
+role system_r types mozilla_plugin_config_t;
 
 type mozilla_tmp_t;
 userdom_user_tmp_file(mozilla_tmp_t)
@@ -186,7 +189,7 @@ sysnet_dns_name_resolve(mozilla_t)
 
 userdom_use_inherited_user_ptys(mozilla_t)
 
-mozilla_run_plugin(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
 
 xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
 xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
@@ -298,7 +301,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-	pulseaudio_role(mozilla_roles, mozilla_t)
+	#pulseaudio_role(mozilla_roles, mozilla_t)
+	pulseaudio_exec(mozilla_t)
 	pulseaudio_stream_connect(mozilla_t)
 	pulseaudio_manage_home_files(mozilla_t)
 ')
@@ -476,9 +480,9 @@ optional_policy(`
 	java_exec(mozilla_plugin_t)
 ')
 
-optional_policy(`
-	lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
-')
+#optional_policy(`
+#	lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
+#')
 
 optional_policy(`
 	mplayer_exec(mozilla_plugin_t)
diff --git a/ncftool.if b/ncftool.if
index 1520b6c..3a4455f 100644
--- a/ncftool.if
+++ b/ncftool.if
@@ -36,10 +36,18 @@ interface(`ncftool_domtrans',`
 #
 interface(`ncftool_run',`
 	gen_require(`
-		attribute_role ncftool_roles;
+		type ncftool_t;
+		#attribute_role ncftool_roles;
         ')
 
-        ncftool_domtrans($1)
-        roleattribute $2 ncftool_roles;
+        #ncftool_domtrans($1)
+        #roleattribute $2 ncftool_roles;
+
+	role $1 types ncftool_t;
+
+        ncftool_domtrans($2)
+
+        ps_process_pattern($2, ncftool_t)
+        allow $2 ncftool_t:process signal;
 ')
 
diff --git a/ncftool.te b/ncftool.te
index 91ab36d..8c48c33 100644
--- a/ncftool.te
+++ b/ncftool.te
@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.0)
 # Declarations
 #
 
-attribute_role ncftool_roles;
-roleattribute system_r ncftool_roles;
+#attribute_role ncftool_roles;
+#roleattribute system_r ncftool_roles;
 
 type ncftool_t;
 type ncftool_exec_t;
 application_domain(ncftool_t, ncftool_exec_t)
 domain_obj_id_change_exemption(ncftool_t)
 domain_system_change_exemption(ncftool_t)
-role ncftool_roles types ncftool_t;
+#role ncftool_roles types ncftool_t;
+role system_r types ncftool_t;
 
 ########################################
 #
@@ -53,8 +54,10 @@ term_use_all_inherited_terms(ncftool_t)
 
 miscfiles_read_localization(ncftool_t)
 sysnet_delete_dhcpc_pid(ncftool_t)
-sysnet_run_dhcpc(ncftool_t, ncftool_roles)
-sysnet_run_ifconfig(ncftool_t, ncftool_roles)
+sysnet_domtrans_dhcpc(ncftool_t)
+sysnet_domtrans_ifconfig(ncftool_t)
+#sysnet_run_dhcpc(ncftool_t, ncftool_roles)
+#sysnet_run_ifconfig(ncftool_t, ncftool_roles)
 sysnet_etc_filetrans_config(ncftool_t)
 sysnet_manage_config(ncftool_t)
 sysnet_read_dhcpc_state(ncftool_t)
@@ -66,9 +69,9 @@ sysnet_signal_dhcpc(ncftool_t)
 userdom_use_user_terminals(ncftool_t)
 userdom_read_user_tmp_files(ncftool_t)
 
-optional_policy(`
-	brctl_run(ncftool_t, ncftool_roles)
-')
+#optional_policy(`
+#	brctl_run(ncftool_t, ncftool_roles)
+#')
 
 optional_policy(`
 	consoletype_exec(ncftool_t)
@@ -85,9 +88,12 @@ optional_policy(`
 
 optional_policy(`
 	modutils_read_module_config(ncftool_t)
-	modutils_run_insmod(ncftool_t, ncftool_roles)
+	modutils_domtrans_insmod(ncftool_t)
+	#modutils_run_insmod(ncftool_t, ncftool_roles)
+
 ')
 
 optional_policy(`
-	netutils_run(ncftool_t, ncftool_roles)
+	netutils_domtrans(ncftool_t)
+	#netutils_run(ncftool_t, ncftool_roles)
 ')
diff --git a/ppp.if b/ppp.if
index c174b05..a4cad0b 100644
--- a/ppp.if
+++ b/ppp.if
@@ -175,11 +175,18 @@ interface(`ppp_run_cond',`
 #
 interface(`ppp_run',`
 	gen_require(`
-		attribute_role pppd_roles;
+		#attribute_role pppd_roles;
+		type pppd_t;
 	')
 
-	ppp_domtrans($1)
-	roleattribute $2 pppd_roles;
+	#ppp_domtrans($1)
+	#roleattribute $2 pppd_roles;
+
+	role $2 types pppd_t;
+
+        tunable_policy(`pppd_for_user',`
+                ppp_domtrans($1)
+        ')
 ')
 
 ########################################
diff --git a/ppp.te b/ppp.te
index 17e10a2..92cec2b 100644
--- a/ppp.te
+++ b/ppp.te
@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
 ## </desc>
 gen_tunable(pppd_for_user, false)
 
-attribute_role pppd_roles;
+#attribute_role pppd_roles;
 
 # pppd_t is the domain for the pppd program.
 # pppd_exec_t is the type of the pppd executable.
 type pppd_t;
 type pppd_exec_t;
 init_daemon_domain(pppd_t, pppd_exec_t)
-role pppd_roles types pppd_t;
+#role pppd_roles types pppd_t;
+role system_r types pppd_t;
 
 type pppd_devpts_t;
 term_pty(pppd_devpts_t)
@@ -64,7 +65,8 @@ files_pid_file(pppd_var_run_t)
 type pptp_t;
 type pptp_exec_t;
 init_daemon_domain(pptp_t, pptp_exec_t)
-role pppd_roles types pptp_t;
+#role pppd_roles types pptp_t;
+role system_r types pptp_t;
 
 type pptp_log_t;
 logging_log_file(pptp_log_t)
@@ -176,7 +178,8 @@ init_dontaudit_write_utmp(pppd_t)
 init_signal_script(pppd_t)
 
 auth_use_nsswitch(pppd_t)
-auth_run_chk_passwd(pppd_t,pppd_roles)
+auth_domtrans_chk_passwd(pppd_t)
+#auth_run_chk_passwd(pppd_t,pppd_roles)
 auth_write_login_records(pppd_t)
 
 logging_send_syslog_msg(pppd_t)
@@ -196,7 +199,8 @@ userdom_search_admin_dir(pppd_t)
 ppp_exec(pppd_t)
 
 optional_policy(`
-	ddclient_run(pppd_t, pppd_roles)
+	#ddclient_run(pppd_t, pppd_roles)
+	ddclient_domtrans(pppd_t)
 ')
 
 optional_policy(`
diff --git a/usernetctl.if b/usernetctl.if
index d45c715..2d4f1ba 100644
--- a/usernetctl.if
+++ b/usernetctl.if
@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',`
 #
 interface(`usernetctl_run',`
 	gen_require(`
-		attribute_role usernetctl_roles;
+		type usernetctl_t;
+		#attribute_role usernetctl_roles;
 	')
 
-	usernetctl_domtrans($1)
-	roleattribute $2 usernetctl_roles;
+	#usernetctl_domtrans($1)
+	#roleattribute $2 usernetctl_roles;
+
+	sysnet_run_ifconfig(usernetctl_t, $2)
+        sysnet_run_dhcpc(usernetctl_t, $2)
+
+        optional_policy(`
+                iptables_run(usernetctl_t, $2)
+        ')
+
+        optional_policy(`
+                modutils_run_insmod(usernetctl_t, $2)
+        ')
+
+        optional_policy(`
+                ppp_run(usernetctl_t, $2)
+        ')
+
 ')
diff --git a/usernetctl.te b/usernetctl.te
index 8604c1c..35b12a6 100644
--- a/usernetctl.te
+++ b/usernetctl.te
@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0)
 # Declarations
 #
 
-attribute_role usernetctl_roles;
+#attribute_role usernetctl_roles;
 
 type usernetctl_t;
 type usernetctl_exec_t;
 application_domain(usernetctl_t, usernetctl_exec_t)
 domain_interactive_fd(usernetctl_t)
-role usernetctl_roles types usernetctl_t;
+#role usernetctl_roles types usernetctl_t;
+role system_r types usernetctl_t;
 
 ########################################
 #
@@ -63,29 +64,30 @@ sysnet_read_config(usernetctl_t)
 
 userdom_use_inherited_user_terminals(usernetctl_t)
 
-sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
-sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
+#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
+#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
 
 optional_policy(`
-	consoletype_run(usernetctl_t, usernetctl_roles)
+	#consoletype_run(usernetctl_t, usernetctl_roles)
+	consoletype_exec(usernetctl_t)
 ')
 
 optional_policy(`
 	hostname_exec(usernetctl_t)
 ')
 
-optional_policy(`
-	iptables_run(usernetctl_t, usernetctl_roles)
-')
+#optional_policy(`
+#	iptables_run(usernetctl_t, usernetctl_roles)
+#')
 
-optional_policy(`
-	modutils_run_insmod(usernetctl_t, usernetctl_roles)
-')
+#optional_policy(`
+#	modutils_run_insmod(usernetctl_t, usernetctl_roles)
+#')
 
 optional_policy(`
 	nis_use_ypbind(usernetctl_t)
 ')
 
-optional_policy(`
-	ppp_run(usernetctl_t, usernetctl_roles)
-')
+#optional_policy(`
+#	ppp_run(usernetctl_t, usernetctl_roles)
+#')
diff --git a/vpn.if b/vpn.if
index 7b93e07..a4e2f60 100644
--- a/vpn.if
+++ b/vpn.if
@@ -37,11 +37,16 @@ interface(`vpn_domtrans',`
 #
 interface(`vpn_run',`
 	gen_require(`
-		attribute_role vpnc_roles;
+		#attribute_role vpnc_roles;
+		type vpnc_t;
 	')
 
+	#vpn_domtrans($1)
+	#roleattribute $2 vpnc_roles;
+
 	vpn_domtrans($1)
-	roleattribute $2 vpnc_roles;
+        role $2 types vpnc_t;
+        sysnet_run_ifconfig(vpnc_t, $2)
 ')
 
 ########################################
diff --git a/vpn.te b/vpn.te
index 99fd457..d2585bb 100644
--- a/vpn.te
+++ b/vpn.te
@@ -5,14 +5,15 @@ policy_module(vpn, 1.15.0)
 # Declarations
 #
 
-attribute_role vpnc_roles;
-roleattribute system_r vpnc_roles;
+#attribute_role vpnc_roles;
+#roleattribute system_r vpnc_roles;
 
 type vpnc_t;
 type vpnc_exec_t;
 init_system_domain(vpnc_t, vpnc_exec_t)
 application_domain(vpnc_t, vpnc_exec_t)
-role vpnc_roles types vpnc_t;
+#role vpnc_roles types vpnc_t;
+role system_r types vpnc_t;
 
 type vpnc_tmp_t;
 files_tmp_file(vpnc_tmp_t)
@@ -108,7 +109,7 @@ miscfiles_read_localization(vpnc_t)
 seutil_dontaudit_search_config(vpnc_t)
 seutil_use_newrole_fds(vpnc_t)
 
-sysnet_run_ifconfig(vpnc_t, vpnc_roles)
+#sysnet_run_ifconfig(vpnc_t, vpnc_roles)
 sysnet_etc_filetrans_config(vpnc_t)
 sysnet_manage_config(vpnc_t)
 
commit 88b64bdd71ef734271b9370fc37e02785f354f7f
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Jun 7 02:33:40 2012 +0200

    Fix ncftool.if

diff --git a/ncftool.if b/ncftool.if
index 3a4455f..59f096b 100644
--- a/ncftool.if
+++ b/ncftool.if
@@ -43,11 +43,12 @@ interface(`ncftool_run',`
         #ncftool_domtrans($1)
         #roleattribute $2 ncftool_roles;
 
-	role $1 types ncftool_t;
+	ncftool_domtrans($1)
+        role $2 types ncftool_t;
 
-        ncftool_domtrans($2)
+        optional_policy(`
+                brctl_run(ncftool_t, $2)
+        ')
 
-        ps_process_pattern($2, ncftool_t)
-        allow $2 ncftool_t:process signal;
 ')
 
commit 1d49e7e1383a578e75d16b0b7f58dbe25351b1d9
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Jun 7 10:47:57 2012 +0200

    roleattriburte temp fixes for portage and dpkg

diff --git a/dpkg.if b/dpkg.if
index 4d32b42..d945bd0 100644
--- a/dpkg.if
+++ b/dpkg.if
@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',`
 #
 interface(`dpkg_run',`
 	gen_require(`
-		attribute_role dpkg_roles;
+		#attribute_role dpkg_roles;
+		type dpkg_t, dpkg_script_t		
 	')
 
+	#dpkg_domtrans($1)
+	#roleattribute $2 dpkg_roles;
+
 	dpkg_domtrans($1)
-	roleattribute $2 dpkg_roles;
+        role $2 types dpkg_t;
+        role $2 types dpkg_script_t;
+        seutil_run_loadpolicy(dpkg_script_t, $2)
+
 ')
 
 ########################################
diff --git a/dpkg.te b/dpkg.te
index a1b8f92..9ac1b80 100644
--- a/dpkg.te
+++ b/dpkg.te
@@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1)
 # Declarations
 #
 
-attribute_role dpkg_roles;
-roleattribute system_r dpkg_roles;
+#attribute_role dpkg_roles;
+#roleattribute system_r dpkg_roles;
 
 type dpkg_t;
 type dpkg_exec_t;
@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t)
 domain_role_change_exemption(dpkg_t)
 domain_system_change_exemption(dpkg_t)
 domain_interactive_fd(dpkg_t)
-role dpkg_roles types dpkg_t;
+#role dpkg_roles types dpkg_t;
+role system_r types dpkg_t;
 
 # lockfile
 type dpkg_lock_t;
@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t)
 domain_obj_id_change_exemption(dpkg_script_t)
 domain_system_change_exemption(dpkg_script_t)
 domain_interactive_fd(dpkg_script_t)
-role dpkg_roles types dpkg_script_t;
+#role dpkg_roles types dpkg_script_t;
+role system_r types dpkg_script_t;
 
 type dpkg_script_tmp_t;
 files_tmp_file(dpkg_script_tmp_t)
@@ -152,9 +154,12 @@ files_exec_etc_files(dpkg_t)
 init_domtrans_script(dpkg_t)
 init_use_script_ptys(dpkg_t)
 
+#libs_exec_ld_so(dpkg_t)
+#libs_exec_lib_files(dpkg_t)
+#libs_run_ldconfig(dpkg_t, dpkg_roles)
 libs_exec_ld_so(dpkg_t)
 libs_exec_lib_files(dpkg_t)
-libs_run_ldconfig(dpkg_t, dpkg_roles)
+libs_domtrans_ldconfig(dpkg_t)
 
 logging_send_syslog_msg(dpkg_t)
 
@@ -196,19 +201,30 @@ domain_signull_all_domains(dpkg_t)
 files_read_etc_runtime_files(dpkg_t)
 files_exec_usr_files(dpkg_t)
 miscfiles_read_localization(dpkg_t)
-modutils_run_depmod(dpkg_t, dpkg_roles)
-modutils_run_insmod(dpkg_t, dpkg_roles)
-seutil_run_loadpolicy(dpkg_t, dpkg_roles)
-seutil_run_setfiles(dpkg_t, dpkg_roles)
+#modutils_run_depmod(dpkg_t, dpkg_roles)
+#modutils_run_insmod(dpkg_t, dpkg_roles)
+#seutil_run_loadpolicy(dpkg_t, dpkg_roles)
+#seutil_run_setfiles(dpkg_t, dpkg_roles)
 userdom_use_all_users_fds(dpkg_t)
 optional_policy(`
 	mta_send_mail(dpkg_t)
 ')
+
+
 optional_policy(`
-	usermanage_run_groupadd(dpkg_t, dpkg_roles)
-	usermanage_run_useradd(dpkg_t, dpkg_roles)
+        modutils_domtrans_depmod(dpkg_t)
+        modutils_domtrans_insmod(dpkg_t)
+	seutil_domtrans_loadpolicy(dpkg_t)
+	seutil_domtrans_setfiles(dpkg_t)
+        usermanage_domtrans_groupadd(dpkg_t)
+        usermanage_domtrans_useradd(dpkg_t)
 ')
 
+#optional_policy(`
+#	usermanage_run_groupadd(dpkg_t, dpkg_roles)
+#	usermanage_run_useradd(dpkg_t, dpkg_roles)
+#')
+
 ########################################
 #
 # dpkg-script Local policy
@@ -302,11 +318,11 @@ logging_send_syslog_msg(dpkg_script_t)
 
 miscfiles_read_localization(dpkg_script_t)
 
-modutils_run_depmod(dpkg_script_t, dpkg_roles)
-modutils_run_insmod(dpkg_script_t, dpkg_roles)
+#modutils_run_depmod(dpkg_script_t, dpkg_roles)
+#modutils_run_insmod(dpkg_script_t, dpkg_roles)
 
-seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
-seutil_run_setfiles(dpkg_script_t, dpkg_roles)
+#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
+#seutil_run_setfiles(dpkg_script_t, dpkg_roles)
 
 userdom_use_all_users_fds(dpkg_script_t)
 
@@ -319,9 +335,9 @@ optional_policy(`
 	apt_use_fds(dpkg_script_t)
 ')
 
-optional_policy(`
-	bootloader_run(dpkg_script_t, dpkg_roles)
-')
+#optional_policy(`
+#	bootloader_run(dpkg_script_t, dpkg_roles)
+#')
 
 optional_policy(`
 	mta_send_mail(dpkg_script_t)
@@ -335,7 +351,7 @@ optional_policy(`
 	unconfined_domain(dpkg_script_t)
 ')
 
-optional_policy(`
-	usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
-	usermanage_run_useradd(dpkg_script_t, dpkg_roles)
-')
+#optional_policy(`
+#	usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
+#	usermanage_run_useradd(dpkg_script_t, dpkg_roles)
+#')
diff --git a/portage.if b/portage.if
index b4bb48a..e5e8f12 100644
--- a/portage.if
+++ b/portage.if
@@ -43,11 +43,15 @@ interface(`portage_domtrans',`
 #
 interface(`portage_run',`
 	gen_require(`
-		attribute_role portage_roles;
+		type portage_t, portage_fetch_t, portage_sandbox_t;
+		#attribute_role portage_roles;
 	')
 
-	portage_domtrans($1)
-	roleattribute $2 portage_roles;
+	#portage_domtrans($1)
+	#roleattribute $2 portage_roles;
+	    portage_domtrans($1)
+    role $2 types { portage_t portage_fetch_t portage_sandbox_t }
+
 ')
 
 ########################################
diff --git a/portage.te b/portage.te
index 22bdf7d..f726e1d 100644
--- a/portage.te
+++ b/portage.te
@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4)
 ## </desc>
 gen_tunable(portage_use_nfs, false)
 
-attribute_role portage_roles;
+#attribute_role portage_roles;
 
 type gcc_config_t;
 type gcc_config_exec_t;
@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t)
 domain_obj_id_change_exemption(portage_t)
 rsync_entry_type(portage_t)
 corecmd_shell_entry_type(portage_t)
-role portage_roles types portage_t;
+#role portage_roles types portage_t;
+role system_r types portage_t;
 
 # portage compile sandbox domain
 type portage_sandbox_t;
@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t)
 # the shell is the entrypoint if regular sandbox is disabled
 # portage_exec_t is the entrypoint if regular sandbox is enabled
 corecmd_shell_entry_type(portage_sandbox_t)
-role portage_roles types portage_sandbox_t;
+#role portage_roles types portage_sandbox_t;
+role system_r types portage_sandbox_t;
 
 # portage package fetching domain
 type portage_fetch_t;
@@ -41,7 +43,8 @@ type portage_fetch_exec_t;
 application_domain(portage_fetch_t, portage_fetch_exec_t)
 corecmd_shell_entry_type(portage_fetch_t)
 rsync_entry_type(portage_fetch_t)
-role portage_roles types portage_fetch_t;
+#role portage_roles types portage_fetch_t;
+role system_r types portage_fetch_t;
 
 type portage_devpts_t;
 term_pty(portage_devpts_t)
@@ -115,7 +118,8 @@ files_list_all(gcc_config_t)
 init_dontaudit_read_script_status_files(gcc_config_t)
 
 libs_read_lib_files(gcc_config_t)
-libs_run_ldconfig(gcc_config_t, portage_roles)
+#libs_run_ldconfig(gcc_config_t, portage_roles)
+libs_domtrans_ldconfig(gcc_config_t)
 libs_manage_shared_libs(gcc_config_t)
 # gcc-config creates a temp dir for the libs
 libs_manage_lib_dirs(gcc_config_t)
@@ -196,33 +200,41 @@ auth_manage_shadow(portage_t)
 init_exec(portage_t)
 
 # run setfiles -r
-seutil_run_setfiles(portage_t, portage_roles)
+#seutil_run_setfiles(portage_t, portage_roles)
 # run semodule
-seutil_run_semanage(portage_t, portage_roles)
+#seutil_run_semanage(portage_t, portage_roles)
 
-portage_run_gcc_config(portage_t, portage_roles)
+#portage_run_gcc_config(portage_t, portage_roles)
 # if sesandbox is disabled, compiling is performed in this domain
 portage_compile_domain(portage_t)
 
-optional_policy(`
-	bootloader_run(portage_t, portage_roles)
-')
+#optional_policy(`
+#	bootloader_run(portage_t, portage_roles)
+#')
 
 optional_policy(`
 	cron_system_entry(portage_t, portage_exec_t)
 	cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
 ')
 
-optional_policy(`
-	modutils_run_depmod(portage_t, portage_roles)
-	modutils_run_update_mods(portage_t, portage_roles)
+#optional_policy(`
+#	modutils_run_depmod(portage_t, portage_roles)
+#	modutils_run_update_mods(portage_t, portage_roles)
 	#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
 ')
 
-optional_policy(`
-	usermanage_run_groupadd(portage_t, portage_roles)
-	usermanage_run_useradd(portage_t, portage_roles)
-')
+#optional_policy(`
+#	usermanage_run_groupadd(portage_t, portage_roles)
+#	usermanage_run_useradd(portage_t, portage_roles)
+#')
+
+seutil_domtrans_setfiles(portage_t)
+seutil_domtrans_semanage(portage_t)
+bootloader_domtrans(portage_t)
+modutils_domtrans_depmod(portage_t)
+modutils_domtrans_update_mods(portage_t)
+usermanage_domtrans_groupadd(portage_t)
+usermanage_domtrans_useradd(portage_t)
 
 ifdef(`TODO',`
 # seems to work ok without these
commit 1797b35f16d5c863a0083148dee4ee3f93c4c4ef
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Jun 7 10:52:09 2012 +0200

    Fix typo

diff --git a/portage.if b/portage.if
index e5e8f12..7098ded 100644
--- a/portage.if
+++ b/portage.if
@@ -50,7 +50,7 @@ interface(`portage_run',`
 	#portage_domtrans($1)
 	#roleattribute $2 portage_roles;
 	    portage_domtrans($1)
-    role $2 types { portage_t portage_fetch_t portage_sandbox_t }
+    role $2 types { portage_t portage_fetch_t portage_sandbox_t };
 
 ')
 
commit cf999ca29d2a4401c481e28c169e10d676d73526
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Jun 7 10:59:22 2012 +0200

    One more typo

diff --git a/dpkg.if b/dpkg.if
index d945bd0..78736d8 100644
--- a/dpkg.if
+++ b/dpkg.if
@@ -63,7 +63,7 @@ interface(`dpkg_domtrans_script',`
 interface(`dpkg_run',`
 	gen_require(`
 		#attribute_role dpkg_roles;
-		type dpkg_t, dpkg_script_t		
+		type dpkg_t, dpkg_script_t;
 	')
 
 	#dpkg_domtrans($1)