From: dwalsh@redhat.com (Daniel J Walsh) Date: Tue, 29 Sep 2009 09:42:23 -0400 Subject: [refpolicy] roles_unconfineduser.patch In-Reply-To: <1254230695.10232.112.camel@gorn.columbia.tresys.com> References: <4A983C2C.8040507@redhat.com> <1254230695.10232.112.camel@gorn.columbia.tresys.com> Message-ID: <4AC20EBF.6010200@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/29/2009 09:24 AM, Christopher J. PeBenito wrote: > On Fri, 2009-08-28 at 16:21 -0400, Daniel J Walsh wrote: >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_unconfineduser.patch >> >> Splitting out the unconfineduser policy from the unconfined domain so >> that you can leave unconfined_t but remove unconfined.pp > > I've been thinking about this for a while. I don't have a problem with > this in principle, but I don't see how it would work with two modules. > The way I see it, the unconfineduser module would unconditionally depend > on the unconfined module (which defines what it means to be unconfined), > which would mean you couldn't remove the unconfined module while keeping > the unconfineduser module installed. > The trick I did to make it work is to add a dummy attribute and add another interface, interface(`unconfined_domain',` gen_require(` attribute unconfined_services; ') unconfined_domain_noaudit($1) } unconfined_domain_noaudit has all the rules required for unconfined_domain. unconfined_domain_noaudit(unconfined_t) unconfined_domain_noaudit(kernel_t) unconfined_domain_noaudit(rpm_t) unconfined_domain(init_t) unconfined_domain(initrc_t) ... The only thing in unconfined.te is policy_module(unconfined, 3.0.1) ######################################## # # Declarations # attribute unconfined_services;