Is there any possibility of writing bundles of policies that can be "imported" into other configurations?<br>Such as defining a package for a set of policies like "shared-libs", and then when writing the policy putting "import shared-libs" or something like that?<br>
Is this too much complex to do?<br><br>Marcelo.<br><br><div><span class="gmail_quote">2008/2/22, Daniel J Walsh <<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
-----BEGIN PGP SIGNED MESSAGE-----<br> Hash: SHA1<br> <br><br> Bill Nottingham wrote:<br> > I was writing policy today, and I couldn't help notice a lot of<br> > repetitiveness in our policy:<br> ><br> > libs_use_ld_so(...)<br>
> libs_use_shared_libs(...)<br> ><br> > These are needed by, well, everything. Can't they be assumed-unless-denied?<br> ><br> > Similarly, 99% of confined apps need:<br> ><br> > miscfiles_read_localization()<br>
> files_read_etc_files(.)<br> > pipes & stream sockets<br> ><br> > Is there a way to streamline policy so there is a lot less<br> > repetition?<br> ><br> > Bill<br> ><br> > --<br>
> fedora-selinux-list mailing list<br> > <a href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a><br> > <a href="https://www.redhat.com/mailman/listinfo/fedora-selinux-list">https://www.redhat.com/mailman/listinfo/fedora-selinux-list</a><br>
<br>We have talked about this in the past, and so far it has not gone<br> anywhere. The original goal when refpolicy policy was first written was<br> to allow more fine grained control then the example policy, which<br>
grouped large amounts of access rules within a single macro.<br> (can_network) for example. So we wanted to avoid this, and perhaps the<br> pendulum swung too far to the opposite degree.<br> <br> <br> -----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.8 (GNU/Linux)<br> Comment: Using GnuPG with Fedora - <a href="http://enigmail.mozdev.org">http://enigmail.mozdev.org</a><br> <br> iEYEARECAAYFAke+0oIACgkQrlYvE4MpobPd5gCfYpoWTHLDhsCf1Ae1oTQFv4dA<br> AukAn0voXayQTmjDZm+AvEWoFyU2n/Rz<br>
=sl9z<br> -----END PGP SIGNATURE-----<br> <br><br> --<br> fedora-selinux-list mailing list<br> <a href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/fedora-selinux-list">https://www.redhat.com/mailman/listinfo/fedora-selinux-list</a><br>
</blockquote></div><br>