[refpolicy] What is the best way to trim out modules, apps from refpolicy when building monolithic policy.
Sam Gandhi
samgandhi9 at gmail.com
Fri Jun 10 12:52:31 CDT 2011
On Fri, Jun 10, 2011 at 9:34 AM, Christopher J. PeBenito
<cpebenito at tresys.com> wrote:
> On 06/10/11 12:05, Dominick Grift wrote:
>> Wnen you do "make config" it creates a modules.conf i believe. You can
>> remove modules from that file and then those should not be built i
>> believe.
>>
>> You can also include a custom modules.conf in your package and replace
>> that by the one that is generated before you actually compile the
>> policy.
>
> I suggest the above, rather than deleting files out of the tree. This
> is one of the reasons we have a modules.conf for the policy. The 'make
> conf' target will create a modules.conf if you don't have one.
>
I have created the modules.conf and things are progressing. What I am
finding say I enable module ssh, now it wants me to enable the mail
module also.
Now is it considered right thing to do go ahead and just edit ssh.if
file and take out mta_getattr_spool($1_t) or there is better way to
untangle the interdependency between the modules?
Should I introduce a boolean variable in policy/booleans.conf and make
it tunable_policy('platform_has_mail', .. and send out the change for
diff in case someone else might be interested?
-Sam
More information about the refpolicy
mailing list