Re: [selinux] Re: unconfineduser module?

----- Original Message ----- > From: "Robin Lee Powell" <rlpowell(a)digitalkingdom.org&gt; > To: selinux(a)lists.fedoraproject.org > Sent: Friday, April 22, 2016 2:21:41 PM > Subject: unconfineduser module? > > > So my impression is that the "unconfined" module is the "man, users > do weird stuff" grabbag module, and that it is good and helpful to > run without it because *in theory*, nothing should actually need > the unconfined module to work. > > I noticed on my system that there's also an unconfineduser module , > but that I can't disable it: > > # semodule -d unconfineduser > Failed to resolve 'unconfined_u' in selinuxuser statement at line 19116 of > /var/lib/selinux/targeted/tmp/modules/100/base/cil > semodule: Failed! > Basically you can't disable unconfineduser while still logged in as unconfined_t # id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > And so I'm vaguely curious as to what that module is for and how it > relates to the unconfined module; "man unconfined_selinux" does not > make it obvious. http://danwalsh.livejournal.com/42394.html