On 04/01/2014 01:04 PM, Kim Lawson-Jenkins wrote: > Steven, > > Here's the output of semanage user -l > > SELinux User SELinux Roles > appuser_u appuser_r > confinedapp_u user_r, system_r > root staff_r, sysadm_r, system_r, > unconfined_r > staff_u staff_r, sysadm_r, system_r, unconfined_r > sysadm_u sysadm_r > system_u system_r unconfined_r > user_u user_r > > > I read on a SELinux-related blog that unconfined_r should be mapped to > staff_u when removing the unconfined domain, so I didn't remove unconfined > _r for all of the SELinux users. Should I remove unconfined_r for staff_u? That doesn't make sense. Can you cite this blog? > Here is the output of semanage login -l > > Login Name SELinux User > __default__ staff_u > appuser appuser_u > root staff_u > system_u system_u > > Thanks for a response. I expect you would need to update or remove all references to unconfined_u, unconfined_r, and unconfined_t from your semanage login/user mappings and from any of the /etc/selinux/$SELINUXTYPE/contexts files before deleting the unconfined module. Is there a reason you aren't just using the mls policy if you want to avoid the unconfined module?
