userdom_base_user_template: Define role corresponding to the new user

The template creates a new SELinux user, but requires the corresponding
role, meaning that the policy utilizing the interface needs to look
as follos to work:

role <name>_r;
userdom_base_user_template(<name>)

This also breaks the policy generated by
sepolicy generate --term_user -n <username>

Signed-off-by: Vit Mojzis <[email protected]>

policy/modules/contrib/dbadm.te

@@ -21,8 +21,6 @@ gen_tunable(dbadm_manage_user_files, false)
 ## </desc>
 gen_tunable(dbadm_read_user_files, false)
 
-role dbadm_r;
-
 userdom_confined_admin_template(dbadm)
 
 ########################################

policy/modules/contrib/webadm.te

@@ -21,8 +21,6 @@ gen_tunable(webadm_manage_user_files, false)
 ## </desc>
 gen_tunable(webadm_read_user_files, false)
 
-role webadm_r;
-
 userdom_base_user_template(webadm)
 
 type webadm_tmp_t;

policy/modules/kernel/kernel.te

@@ -32,20 +32,6 @@ attribute kernel_system_state_reader;
 attribute sysctl_type;
 
 role system_r;
-role sysadm_r;
-role staff_r;
-role user_r;
-
-# here until order dependence is fixed:
-role unconfined_r;
-
-role guest_r;
-role xguest_r;
-
-ifdef(`enable_mls',`
-	role secadm_r;
-	role auditadm_r;
-')
 
 #
 # kernel_t is the domain of kernel threads.

policy/modules/roles/auditadm.te

@@ -5,8 +5,6 @@ policy_module(auditadm, 2.2.0)
 # Declarations
 #
 
-role auditadm_r;
-role system_r;
 userdom_confined_admin_template(auditadm)
 
 ########################################

policy/modules/system/userdomain.if

@@ -27,7 +27,6 @@ template(`userdom_base_user_template',`
 		attribute userdomain;
 		type user_devpts_t, user_tty_device_t;
 		class context contains;
-		role $1_r;
 	')
 
 	attribute $1_file_type;
@@ -39,6 +38,7 @@ template(`userdom_base_user_template',`
 	corecmd_bin_entry_type($1_t)
 	domain_user_exemption_target($1_t)
 	ubac_constrained($1_t)
+	role $1_r;
 	role $1_r types $1_t;
 	allow system_r $1_r;