From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 29 Sep 2009 10:44:06 -0400
Subject: [refpolicy] roles_unconfineduser.patch
In-Reply-To: <4AC20EBF.6010200@redhat.com>
References: <4A983C2C.8040507@redhat.com>
	<1254230695.10232.112.camel@gorn.columbia.tresys.com>
	<4AC20EBF.6010200@redhat.com>
Message-ID: <1254235446.10232.115.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2009-09-29 at 09:42 -0400, Daniel J Walsh wrote:
> On 09/29/2009 09:24 AM, Christopher J. PeBenito wrote:
> > On Fri, 2009-08-28 at 16:21 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_unconfineduser.patch
> >>
> >> Splitting out the unconfineduser policy from the unconfined domain so
> >> that you can leave unconfined_t but remove unconfined.pp
> > 
> > I've been thinking about this for a while.  I don't have a problem with
> > this in principle, but I don't see how it would work with two modules.
> > The way I see it, the unconfineduser module would unconditionally depend
> > on the unconfined module (which defines what it means to be unconfined),
> > which would mean you couldn't remove the unconfined module while keeping
> > the unconfineduser module installed.
> > 
> 
> The trick I did to make it work is to add a dummy attribute and add another interface, 
> 
> 
> 
> interface(`unconfined_domain',`
> 	gen_require(`
> 		attribute unconfined_services;
> 	')	
> 	unconfined_domain_noaudit($1)
> }
> 
> unconfined_domain_noaudit has all the rules required for unconfined_domain.

This is the problem, the attribute should be in the _noaudit interface
instead, which breaks the desired behavior.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150