From: cgzones@googlemail.com (cgzones) Date: Sat, 17 Dec 2016 12:10:12 +0100 Subject: [refpolicy] [PATCH v2] Do not keep disabled modules during new policy load In-Reply-To: <1481928662.3283.5.camel@trentalancia.net> References: <1481831671.24835.1.camel@trentalancia.net> <1481835895.24835.3.camel@trentalancia.net> <1481908711.2610.16.camel@trentalancia.net> <1481928436.3283.2.camel@trentalancia.net> <1481928662.3283.5.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Why is the unconfined module required for the kernel one? I am using a confined kernel_t with the standard debian sid kernel 4.8.11 and a mostly vanilla 4.9 one and the only permissions i had to add were: dev_setattr_xserver_misc_dev(kernel_t) allow kernel_t xserver_misc_device_t:chr_file { getattr unlink }; 2016-12-16 23:51 GMT+01:00 Guido Trentalancia via refpolicy : > On Fri, 16/12/2016 at 23.47 +0100, Guido Trentalancia via refpolicy > wrote: >> On Fri, 16/12/2016 at 18.18 +0100, Guido Trentalancia via refpolicy >> wrote: > > [...] > >> > By the way, after removing several modules that I do not use, I >> > came >> > across some strange behaviour of the system, so I wonder if you >> > have >> > any idea of what is actually going on. >> > >> > The system became unstable due to several permission denied errors >> > and >> > it seems like parts of the policy have not been loaded, despite >> > "semodule -l" shows that the relevant modules are there. >> >> I found that part of the problem was due to the removal of the >> "unconfined" domain. > > It seems that the "unconfined" domain is defined through optional > policy in the "kernel" module, but I suppose this is wrong and it > should instead be defined outside of an optional block, as the kernel > module depends on it. See above. > > Regards, > > Guido > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy