From 2fc84fd172d9bbf221740ed7bbb9d55e1fafd6f4 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 1 Jun 2005 17:40:22 +0000
Subject: [PATCH] move user_u and root to users

---
 refpolicy/config/local.users |  4 ----
 refpolicy/policy/users       | 18 ++++++++++++++++++
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/refpolicy/config/local.users b/refpolicy/config/local.users
index 887f6f78..7e2bf7aa 100644
--- a/refpolicy/config/local.users
+++ b/refpolicy/config/local.users
@@ -14,10 +14,6 @@
 # The MLS default level and allowed range should only be specified if 
 # MLS was enabled in the policy.
 
-user user_u roles { user_r };
-
-user root roles { sysadm_r staff_r };
-
 # sample for administrative user
 # user jadmin roles { staff_r sysadm_r };
 
diff --git a/refpolicy/policy/users b/refpolicy/policy/users
index a7a51b1d..bb9d37bb 100644
--- a/refpolicy/policy/users
+++ b/refpolicy/policy/users
@@ -11,3 +11,21 @@
 # identity.
 #
 user system_u roles system_r user_mls(s0,s0 - s9:c0.c127);
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined.  The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user.  If you do not want to
+# permit any access to such users, then remove this entry.
+#
+user user_u roles { user_r } user_mls(s0,s0 - s9:c0.c127);
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+user root roles { sysadm_r staff_r } user_mls(s0,s0 - s9:c0.c127);