use role dominance in targeted for compatability with strict

refpolicy/policy/modules/system/unconfined.if

@@ -246,22 +246,6 @@ interface(`unconfined_dontaudit_rw_tcp_socket',`
 	dontaudit $1 unconfined_t:tcp_socket { read write };
 ')
 
-########################################
-## <summary>
-##	Add the unconfined domain to the specified role.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`unconfined_role',`
-	gen_require(`
-		type unconfined_t;
-	')
-
-	role $1 types unconfined_t;
-')
-
 ########################################
 ## <summary>
 ##	Add an alias type to the unconfined domain.

refpolicy/policy/modules/system/unconfined.te

@@ -25,6 +25,12 @@ unconfined_domain_template(unconfined_t)
 logging_send_syslog_msg(unconfined_t)
 
 ifdef(`targeted_policy',`
+	# compatibility for switching from strict
+	dominance { role secadm_r { role system_r; }}
+	dominance { role sysadm_r { role system_r; }}
+	dominance { role user_r { role system_r; }}
+	dominance { role staff_r { role system_r; }}
+
 	allow unconfined_t self:system syslog_read;
 	dontaudit unconfined_t self:capability sys_module;
 
@@ -120,5 +126,7 @@ ifdef(`targeted_policy',`
 	')
 
 	') dnl end TODO
+
+	# FIXME:
 	typeattribute unconfined_t direct_run_init;
 ')

refpolicy/policy/modules/system/userdomain.te

@@ -64,9 +64,6 @@ ifdef(`targeted_policy',`
 	files_associate_tmp(user_home_dir_t)
 	fs_associate_tmpfs(user_home_dir_t)
 
-	unconfined_role(user_r)
-	unconfined_role(sysadm_r)
-
 	# dont need to use the full role_change()
 	allow sysadm_r system_r;
 	allow sysadm_r user_r;