From cc4a89232bf2da1ca582fcd25003b83274f691d9 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Wed, 10 Jan 2018 10:26:55 +0100
Subject: [PATCH] Allow sysadm_t and staff_t roles to manage user systemd
 services BZ(1531864)

---
 policy/modules/roles/staff.te  | 4 ++++
 policy/modules/roles/sysadm.te | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 6773aa7844..2c462335e3 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -21,6 +21,9 @@ gen_tunable(staff_use_svirt, false)
 #
 # Local policy
 #
+
+allow staff_t self:system all_system_perms;
+
 corenet_ib_access_unlabeled_pkeys(staff_t)
 
 kernel_read_ring_buffer(staff_t)
@@ -255,6 +258,7 @@ optional_policy(`
 
 optional_policy(`
 	systemd_read_unit_files(staff_t)
+    systemd_config_all_services(staff_t)
 	systemd_exec_systemctl(staff_t)
 ')
 
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index b1c6b714d6..d08da3446c 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -10,6 +10,8 @@ role sysadm_r;
 userdom_admin_user_template(sysadm)
 allow sysadm_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 
+allow sysadm_t self:system all_system_perms;
+
 
 ########################################
 #