On 07/07/11 09:46, Jeremiah Jahn wrote: > On Wed, Jul 6, 2011 at 9:11 AM, Dominick Grift <domg472@xxxxxxxxx > <mailto:domg472@xxxxxxxxx>> wrote: [...] > On Wed, 2011-07-06 at 08:59 -0500, Jeremiah Jahn wrote: > > for example lets say I didn't want rpm_script_t to be able to > > transition into initrc_t, no matter what role it started as. Or, I > > don't want the sysadm_t to be able to do both run_init_t and rpm_t. Or > > am I completely in left field and not understanding the proper use of > > roles? > > No, you can achieve that by editing the policy i believe. > > I would probably fork selinux policy. El6 policy does not get much > significant updates so merging changes into your fork should not be too > much work (as opposed to Fedora) > > > Thanks for the help, that's what I had to do with the old ref policy, I > guess I was just hoping I wouldn't have to do that again, because there > was some newfangled way. :) Oh well, but thanks again for the help. Thats one thing on my wish list for SELinux policy writing tools. A role-o-matic where you start out with a base role, and have a bunch of check boxes for options as to what it can do. I try to keep the useful data in the Refpolicy's XML, but the tool itself is nonexistent. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
