I'm contemplating rolling my own policy.conf, using the latest strict as a base and trimming it down and wondering if others have gone this route as well. I'm well aware of the implications in doing this and moving away from the standard m4-based config. But what seem to be trivial tasks in modifying the policy file directly appear to become somewhat non-trivial in trying to make the same modification in the macro files. For example, I wish to disallow user_r any access to selinux_config_t. It appears as though access is granted to selinux_config_t via via full_user_role() via base_file_read_access(). full_user_role(user) adds quite a bit of functionality I want to keep as does base_file_read_access(user). So I'm not quite sure where to go from here. Removing this access from the policy.conf directly appears to be a matter of removing one or two lines. Maybe I'm going about things incorrectly? Do other's write and maintain their own policies independent of the policy*.rpm's? Thanx for and insight... ----- Kirk M. Vogelsang <kvogelsa@xxxxxxxxxxx> Northeastern University College of Computer Science
