[redhat-lspp] hierarchical roles

[Janak Desai]

As part of testing rbac evaluation requirements, I have been 
trying to create a loadable policy module that creates
a new role that dominates a few of the existing roles. I am able 
to create a role using the dominance statement and "semanage user"
correctly assigns other roles (which the new role dominates) to a
user when that user is assigned the new role. From what I can
see, I still have to setup needed access rights for the new
domain associated with this new role. That makes sense, since
roles only allow you access to a domain and are not involved in
the access decision. So hierarchical roles only give you the
ability to change into roles that you dominate but do not give
you aggregate access rights of roles that you dominate, is that
correct or am I missing something? 

Let me explain what I am asking with an example. strict-mls 
policy has roles sysadm_r and secadm_r. I created a new role 
cnorris_r that dominates these two roles and runs in the 
default domain cnorris_t. A user xyz is assigned the cnorris_r.
Now the user xyz can use newrole to switch into sysadm_r
or secadm_r, to perform actions that those roles are allowed.
However, as cnorris_r in cnorris_t domain, xyz cannot perform
actions that they could as sysadm_r or secadm_r. Is that
correct or am I missing some policy magic that will allow
cnorris_r to perform sysadm_r/secadm_r duties directly (without
newrole'ing to them)?

Thanks.

-Janak