File _service:tar_scm_kernel_repo:backport-Fix-users... of Package selinux-policy

File _service:tar_scm_kernel_repo:backport-Fix-users-for-SELinux-userspace-3.4.patch of Package selinux-policy

From e1e216b25df1bdb4eb7dbb8f73f32927ad6f3d1f Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 14 Apr 2022 12:07:40 +0200
Subject: [PATCH] Fix users for SELinux userspace 3.4

Latest yet to be released userspace version 3.4 added new validation and
discovered several issues in current implementation. This patch tries to
address them:

- move guest and xguest module from contrib to roles - refpolicy did
this change long time ago

- roles guest_r and xguest_r need to be defined in kernel.te

- gen_user() is supposed to be in policy/users, not in modules

- drop role multiple definitions from userdom_base_user_template as it's
and is supposed to be defined in kernel.te
---
 policy/modules/kernel/kernel.te             | 3 +++
 policy/modules/{contrib => roles}/guest.fc  | 0
 policy/modules/{contrib => roles}/guest.if  | 0
 policy/modules/{contrib => roles}/guest.te  | 4 ++--
 policy/modules/roles/unconfineduser.te      | 3 +--
 policy/modules/{contrib => roles}/xguest.fc | 0
 policy/modules/{contrib => roles}/xguest.if | 0
 policy/modules/{contrib => roles}/xguest.te | 4 ++--
 policy/modules/system/userdomain.if         | 3 +--
 9 files changed, 9 insertions(+), 8 deletions(-)
 rename policy/modules/{contrib => roles}/guest.fc (100%)
 rename policy/modules/{contrib => roles}/guest.if (100%)
 rename policy/modules/{contrib => roles}/guest.te (82%)
 rename policy/modules/{contrib => roles}/xguest.fc (100%)
 rename policy/modules/{contrib => roles}/xguest.if (100%)
 rename policy/modules/{contrib => roles}/xguest.te (98%)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index acbb2f74e6..73696bcb0a 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -39,6 +39,9 @@ role user_r;
 # here until order dependence is fixed:
 role unconfined_r;
 
+role guest_r;
+role xguest_r;
+
 ifdef(`enable_mls',`
 	role secadm_r;
 	role auditadm_r;
diff --git a/policy/modules/contrib/guest.fc b/policy/modules/roles/guest.fc
similarity index 100%
rename from policy/modules/contrib/guest.fc
rename to policy/modules/roles/guest.fc
diff --git a/policy/modules/contrib/guest.if b/policy/modules/roles/guest.if
similarity index 100%
rename from policy/modules/contrib/guest.if
rename to policy/modules/roles/guest.if
diff --git a/policy/modules/contrib/guest.te b/policy/modules/roles/guest.te
similarity index 82%
rename from policy/modules/contrib/guest.te
rename to policy/modules/roles/guest.te
index 0605776333..2e9505d1cc 100644
--- a/policy/modules/contrib/guest.te
+++ b/policy/modules/roles/guest.te
@@ -5,7 +5,7 @@ policy_module(guest, 1.3.0)
 # Declarations
 #
 
-role guest_r;
+# role guest_r;
 
 userdom_restricted_user_template(guest)
 
@@ -20,4 +20,4 @@ optional_policy(`
 	apache_role(guest_r, guest_t)
 ')
 
-gen_user(guest_u, user, guest_r, s0, s0)
+# gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 55bca1e31e..5596e6f0ee 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -399,5 +399,4 @@ optional_policy(`
 	xserver_xsession_entry_type(unconfined_t)
 ')
 
-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
+# gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/policy/modules/contrib/xguest.fc b/policy/modules/roles/xguest.fc
similarity index 100%
rename from policy/modules/contrib/xguest.fc
rename to policy/modules/roles/xguest.fc
diff --git a/policy/modules/contrib/xguest.if b/policy/modules/roles/xguest.if
similarity index 100%
rename from policy/modules/contrib/xguest.if
rename to policy/modules/roles/xguest.if
diff --git a/policy/modules/contrib/xguest.te b/policy/modules/roles/xguest.te
similarity index 98%
rename from policy/modules/contrib/xguest.te
rename to policy/modules/roles/xguest.te
index 8d3ef540a7..e19bf40fc5 100644
--- a/policy/modules/contrib/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -26,7 +26,7 @@ gen_tunable(xguest_connect_network, true)
 ## </desc>
 gen_tunable(xguest_use_bluetooth, true)
 
-role xguest_r;
+# role xguest_r;
 
 userdom_restricted_xwindows_user_template(xguest)
 sysnet_dns_name_resolve(xguest_t)
@@ -203,4 +203,4 @@ optional_policy(`
 	role xguest_r types mozilla_t;
 ')
 
-gen_user(xguest_u, user, xguest_r, s0, s0)
+# gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b16984dd82..d5be647e85 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -27,6 +27,7 @@ template(`userdom_base_user_template',`
 		attribute userdomain;
 		type user_devpts_t, user_tty_device_t;
 		class context contains;
+		role $1_r;
 	')
 
 	attribute $1_file_type;
@@ -34,12 +35,10 @@ template(`userdom_base_user_template',`
 
 	type $1_t, userdomain, $1_usertype;
 	domain_type($1_t)
-	role $1_r;
 	corecmd_shell_entry_type($1_t)
 	corecmd_bin_entry_type($1_t)
 	domain_user_exemption_target($1_t)
 	ubac_constrained($1_t)
-	role $1_r;
 	role $1_r types $1_t;
 	allow system_r $1_r;