From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 29 Sep 2009 09:24:55 -0400 Subject: [refpolicy] roles_unconfineduser.patch In-Reply-To: <4A983C2C.8040507@redhat.com> References: <4A983C2C.8040507@redhat.com> Message-ID: <1254230695.10232.112.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2009-08-28 at 16:21 -0400, Daniel J Walsh wrote: > http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_unconfineduser.patch > > Splitting out the unconfineduser policy from the unconfined domain so > that you can leave unconfined_t but remove unconfined.pp I've been thinking about this for a while. I don't have a problem with this in principle, but I don't see how it would work with two modules. The way I see it, the unconfineduser module would unconditionally depend on the unconfined module (which defines what it means to be unconfined), which would mean you couldn't remove the unconfined module while keeping the unconfineduser module installed. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150