From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 29 Sep 2009 09:24:55 -0400
Subject: [refpolicy] roles_unconfineduser.patch
In-Reply-To: <4A983C2C.8040507@redhat.com>
References: <4A983C2C.8040507@redhat.com>
Message-ID: <1254230695.10232.112.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2009-08-28 at 16:21 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_unconfineduser.patch
> 
> Splitting out the unconfineduser policy from the unconfined domain so
> that you can leave unconfined_t but remove unconfined.pp

I've been thinking about this for a while.  I don't have a problem with
this in principle, but I don't see how it would work with two modules.
The way I see it, the unconfineduser module would unconditionally depend
on the unconfined module (which defines what it means to be unconfined),
which would mean you couldn't remove the unconfined module while keeping
the unconfineduser module installed.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150