On Tue, 2010-09-21 at 13:25 +0100, Mr Dash Four wrote: > > There is work in progress for policy language support for > > transformations of policy, including the ability to delete rules, but it > > is still in the early development stages. > > > > For what you want to do, there is unfortunately no good mechanism at > > present other than creating your own custom policy. > > > > What you might do though is to wrap the problematic allow rules under > > tunable_policy blocks with some new policy boolean, and then you could > > enable/disable those rules by setting the boolean. That might be > > acceptable as a patch to the current policy that wouldn't disrupt > > current users. > > > That, frankly, is hair-raising stuff! It means that I would have to edit > every single .te/.if file and encapsulate those blocks, not very nice... > I think I already asked this before, but isn't there another - easier - > way of doing this? Not today. That's why there is ongoing work on extensions to the policy language to support such transformations, as well as work on the policy infrastructure to support notions of priorities and localization. -- Stephen Smalley National Security Agency -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
