> There is work in progress for policy language support for > transformations of policy, including the ability to delete rules, but it > is still in the early development stages. > > For what you want to do, there is unfortunately no good mechanism at > present other than creating your own custom policy. > > What you might do though is to wrap the problematic allow rules under > tunable_policy blocks with some new policy boolean, and then you could > enable/disable those rules by setting the boolean. That might be > acceptable as a patch to the current policy that wouldn't disrupt > current users. > That, frankly, is hair-raising stuff! It means that I would have to edit every single .te/.if file and encapsulate those blocks, not very nice... I think I already asked this before, but isn't there another - easier - way of doing this? -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
