We unintentionally left the unconfineduser
SELinux module enabled. Nothing was really
using it, as toor was mapped to either staff
or toor depending on the
CONFIG_BUILD_UNCONFINED_TOOR flag. Disable
unconfineduser in modules.conf.
Side-effect, build toor as an separate RPM
and conditionally add it to the ks packages
list when the flag mentioned above is set to
"y".
We unintentionally left the unconfineduser SELinux module enabled. Nothing was really using it, as toor was mapped to either staff or toor depending on the CONFIG_BUILD_UNCONFINED_TOOR flag. Disable unconfineduser in modules.conf.
Side-effect, build toor as an separate RPM and conditionally add it to the ks packages list when the flag mentioned above is set to "y".