On Wed, Jul 6, 2011 at 9:11 AM, Dominick Grift <domg472@xxxxxxxxx> wrote:
Thanks for the help, that's what I had to do with the old ref policy, I guess I was just hoping I wouldn't have to do that again, because there was some newfangled way. :) Oh well, but thanks again for the help.
That is one way yes but some modules depend on other modules so it may
On Wed, 2011-07-06 at 08:59 -0500, Jeremiah Jahn wrote:
> semanage makes persistent changes to a system, correct?
correct
> I'm still uncertain of the best way to modify a module, or at least
> make one less permissive. would it be to remove or disable a module,
> get the source, modify it, rename it, and then import it over the old
> one?
get a bit more complicated than that.
Generally it becomes harder to maintain.
See my suggestion below
No, you can achieve that by editing the policy i believe.
> for example lets say I didn't want rpm_script_t to be able to
> transition into initrc_t, no matter what role it started as. Or, I
> don't want the sysadm_t to be able to do both run_init_t and rpm_t. Or
> am I completely in left field and not understanding the proper use of
> roles?
I would probably fork selinux policy. El6 policy does not get much
significant updates so merging changes into your fork should not be too
much work (as opposed to Fedora)
Thanks for the help, that's what I had to do with the old ref policy, I guess I was just hoping I wouldn't have to do that again, because there was some newfangled way. :) Oh well, but thanks again for the help.