On Wed, 2008-05-21 at 11:59 -0400, Daniel J Walsh wrote: > Remove all init programs calls to > sysadm_dontaudit_list_home_dirs and put that call in the > > init_system_domain and init_daemon_domain I might be able to buy that for the latter, but I don't see it for the former. > That way we can think about making role/sysadm a module. > > Of course I believe the /root should have a special context of > admin_home_t and not be affected by whether or not you have sysadm > policy defined. In the RBAC separation branch I was planning to have all the roles have the same home directory type anyway (owned by the userdomain module). If it ends up that we still need to have a type-based separation between unpriv user and admin user home directories, then it will end up being as you suggest above. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.