add priv_system_role

docs/macro_conversion_guide

@@ -117,6 +117,11 @@ domain_role_change_exempt($1)
 #
 domain_subj_id_change_exempt($1)
 
+#
+# priv_system_role: complete
+#
+domain_system_change_exempt($1)
+
 #
 # sysadmfile: complete
 #
@@ -740,8 +745,6 @@ allow $1_t self:tcp_socket connected_stream_socket_perms;
 # cjp: this should probably only be inetd_child rules?
 allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow $1_t self:capability { setuid setgid };
-allow $1_t self:dir search;
-allow $1_t self:{ lnk_file file } { getattr read };
 files_search_home($1_t)
 optional_policy(`kerberos.te',`
 	kerberos_use($1_t)