I'm going to disapprove this. The code itself looks ok, but I think a migration script is a bit much to add here. It's more untested code, and more complexity. I don't think we should add it.
After poking at the code a little more, I've raise bug #1282392 to critical, as it is a big source of problems related to the signon-apparmor-extension addition. I will fix it today, and ping to get an approval for it in the next RTM milestone as well. With it fixed, I think we can then just treat the account as invalid, and send the user through the log-in process again, which, combined with the fix to add "unconfined" to the ACL, should be sufficient for migration.
I'm going to disapprove this. The code itself looks ok, but I think a migration script is a bit much to add here. It's more untested code, and more complexity. I don't think we should add it.
After poking at the code a little more, I've raise bug #1282392 to critical, as it is a big source of problems related to the signon- apparmor- extension addition. I will fix it today, and ping to get an approval for it in the next RTM milestone as well. With it fixed, I think we can then just treat the account as invalid, and send the user through the log-in process again, which, combined with the fix to add "unconfined" to the ACL, should be sufficient for migration.