From: dwalsh@redhat.com (Daniel J Walsh)
Date: Tue, 29 Sep 2009 09:42:23 -0400
Subject: [refpolicy] roles_unconfineduser.patch
In-Reply-To: <1254230695.10232.112.camel@gorn.columbia.tresys.com>
References: <4A983C2C.8040507@redhat.com>
	<1254230695.10232.112.camel@gorn.columbia.tresys.com>
Message-ID: <4AC20EBF.6010200@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/29/2009 09:24 AM, Christopher J. PeBenito wrote:
> On Fri, 2009-08-28 at 16:21 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_unconfineduser.patch
>>
>> Splitting out the unconfineduser policy from the unconfined domain so
>> that you can leave unconfined_t but remove unconfined.pp
> 
> I've been thinking about this for a while.  I don't have a problem with
> this in principle, but I don't see how it would work with two modules.
> The way I see it, the unconfineduser module would unconditionally depend
> on the unconfined module (which defines what it means to be unconfined),
> which would mean you couldn't remove the unconfined module while keeping
> the unconfineduser module installed.
> 

The trick I did to make it work is to add a dummy attribute and add another interface, 



interface(`unconfined_domain',`
	gen_require(`
		attribute unconfined_services;
	')	
	unconfined_domain_noaudit($1)
}

unconfined_domain_noaudit has all the rules required for unconfined_domain.

unconfined_domain_noaudit(unconfined_t)
unconfined_domain_noaudit(kernel_t)
unconfined_domain_noaudit(rpm_t)

unconfined_domain(init_t)
unconfined_domain(initrc_t)
...

The only thing in unconfined.te is

policy_module(unconfined, 3.0.1)

########################################
#
# Declarations
#
attribute unconfined_services;