Statement precedence/priority (neverallow)
Stephen Smalley
sds at tycho.nsa.gov
Tue Sep 21 12:33:07 UTC 2010
On Tue, 2010-09-21 at 13:25 +0100, Mr Dash Four wrote:
> > There is work in progress for policy language support for
> > transformations of policy, including the ability to delete rules, but it
> > is still in the early development stages.
> >
> > For what you want to do, there is unfortunately no good mechanism at
> > present other than creating your own custom policy.
> >
> > What you might do though is to wrap the problematic allow rules under
> > tunable_policy blocks with some new policy boolean, and then you could
> > enable/disable those rules by setting the boolean. That might be
> > acceptable as a patch to the current policy that wouldn't disrupt
> > current users.
> >
> That, frankly, is hair-raising stuff! It means that I would have to edit
> every single .te/.if file and encapsulate those blocks, not very nice...
> I think I already asked this before, but isn't there another - easier -
> way of doing this?
Not today. That's why there is ongoing work on extensions to the policy
language to support such transformations, as well as work on the policy
infrastructure to support notions of priorities and localization.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list