On Wed, 2011-07-06 at 08:59 -0500, Jeremiah Jahn wrote: > semanage makes persistent changes to a system, correct? correct > I'm still uncertain of the best way to modify a module, or at least > make one less permissive. would it be to remove or disable a module, > get the source, modify it, rename it, and then import it over the old > one? That is one way yes but some modules depend on other modules so it may get a bit more complicated than that. Generally it becomes harder to maintain. See my suggestion below > for example lets say I didn't want rpm_script_t to be able to > transition into initrc_t, no matter what role it started as. Or, I > don't want the sysadm_t to be able to do both run_init_t and rpm_t. Or > am I completely in left field and not understanding the proper use of > roles? No, you can achieve that by editing the policy i believe. I would probably fork selinux policy. El6 policy does not get much significant updates so merging changes into your fork should not be too much work (as opposed to Fedora)
Attachment:
signature.asc
Description: This is a digitally signed message part