Policy Management

Kirk Vogelsang kvogelsa at ccs.neu.edu
Thu Jul 15 15:26:58 UTC 2004


I'm contemplating rolling my own policy.conf, using the latest strict
as a base and trimming it down and wondering if others have gone
this route as well.

I'm well aware of the implications in doing this and moving away from
the standard m4-based config.  But what seem to be trivial tasks in
modifying the policy file directly appear to become somewhat non-trivial
in trying to make the same modification in the macro files.

For example, I wish to disallow user_r any access to selinux_config_t.
It appears as though access is granted to selinux_config_t via
via full_user_role() via base_file_read_access().  full_user_role(user)
adds quite a bit of functionality I want to keep as does
base_file_read_access(user).  So I'm not quite sure where to go from
here.  Removing this access from the policy.conf directly appears to
be a matter of removing one or two lines.

Maybe I'm going about things incorrectly?  Do other's write and maintain
their own policies independent of the policy*.rpm's?

Thanx for and insight...

-----
Kirk M. Vogelsang <kvogelsa at ccs.neu.edu>
Northeastern University College of Computer Science





More information about the selinux mailing list