From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 29 Sep 2009 10:44:06 -0400 Subject: [refpolicy] roles_unconfineduser.patch In-Reply-To: <4AC20EBF.6010200@redhat.com> References: <4A983C2C.8040507@redhat.com> <1254230695.10232.112.camel@gorn.columbia.tresys.com> <4AC20EBF.6010200@redhat.com> Message-ID: <1254235446.10232.115.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2009-09-29 at 09:42 -0400, Daniel J Walsh wrote: > On 09/29/2009 09:24 AM, Christopher J. PeBenito wrote: > > On Fri, 2009-08-28 at 16:21 -0400, Daniel J Walsh wrote: > >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/roles_unconfineduser.patch > >> > >> Splitting out the unconfineduser policy from the unconfined domain so > >> that you can leave unconfined_t but remove unconfined.pp > > > > I've been thinking about this for a while. I don't have a problem with > > this in principle, but I don't see how it would work with two modules. > > The way I see it, the unconfineduser module would unconditionally depend > > on the unconfined module (which defines what it means to be unconfined), > > which would mean you couldn't remove the unconfined module while keeping > > the unconfineduser module installed. > > > > The trick I did to make it work is to add a dummy attribute and add another interface, > > > > interface(`unconfined_domain',` > gen_require(` > attribute unconfined_services; > ') > unconfined_domain_noaudit($1) > } > > unconfined_domain_noaudit has all the rules required for unconfined_domain. This is the problem, the attribute should be in the _noaudit interface instead, which breaks the desired behavior. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150