So my impression is that the "unconfined" module is the "man, users do weird stuff" grabbag module, and that it is good and helpful to run without it because *in theory*, nothing should actually need the unconfined module to work.
I noticed on my system that there's also an unconfineduser module , but that I can't disable it:
# semodule -d unconfineduser Failed to resolve 'unconfined_u' in selinuxuser statement at line 19116 of /var/lib/selinux/targeted/tmp/modules/100/base/cil semodule: Failed!
And so I'm vaguely curious as to what that module is for and how it relates to the unconfined module; "man unconfined_selinux" does not make it obvious.
----- Original Message -----
From: "Robin Lee Powell" rlpowell@digitalkingdom.org To: selinux@lists.fedoraproject.org Sent: Friday, April 22, 2016 2:21:41 PM Subject: unconfineduser module?
So my impression is that the "unconfined" module is the "man, users do weird stuff" grabbag module, and that it is good and helpful to run without it because *in theory*, nothing should actually need the unconfined module to work.
I noticed on my system that there's also an unconfineduser module , but that I can't disable it:
# semodule -d unconfineduser Failed to resolve 'unconfined_u' in selinuxuser statement at line 19116 of /var/lib/selinux/targeted/tmp/modules/100/base/cil semodule: Failed!
Basically you can't disable unconfineduser while still logged in as unconfined_t
# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
And so I'm vaguely curious as to what that module is for and how it relates to the unconfined module; "man unconfined_selinux" does not make it obvious.
http://danwalsh.livejournal.com/42394.html
-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
On Fri, Apr 22, 2016 at 03:35:19PM -0400, Simon Sekidde wrote:
----- Original Message -----
From: "Robin Lee Powell" rlpowell@digitalkingdom.org To: selinux@lists.fedoraproject.org Sent: Friday, April 22, 2016 2:21:41 PM Subject: unconfineduser module?
So my impression is that the "unconfined" module is the "man, users do weird stuff" grabbag module, and that it is good and helpful to run without it because *in theory*, nothing should actually need the unconfined module to work.
I noticed on my system that there's also an unconfineduser module , but that I can't disable it:
# semodule -d unconfineduser Failed to resolve 'unconfined_u' in selinuxuser statement at line 19116 of /var/lib/selinux/targeted/tmp/modules/100/base/cil semodule: Failed!
Basically you can't disable unconfineduser while still logged in as unconfined_t
# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
And so I'm vaguely curious as to what that module is for and how it relates to the unconfined module; "man unconfined_selinux" does not make it obvious.
Oh, perfect, thanks!
selinux@lists.fedoraproject.org
-
Robin Lee Powell -
Simon Sekidde