From: samgandhi9@gmail.com (Sam Gandhi) Date: Fri, 10 Jun 2011 10:52:31 -0700 Subject: [refpolicy] What is the best way to trim out modules, apps from refpolicy when building monolithic policy. In-Reply-To: <4DF24786.7000605@tresys.com> References: <1307721943.2645.21.camel@localhost.localdomain> <4DF24786.7000605@tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Jun 10, 2011 at 9:34 AM, Christopher J. PeBenito wrote: > On 06/10/11 12:05, Dominick Grift wrote: >> Wnen you do "make config" it creates a modules.conf i believe. You can >> remove modules from that file and then those should not be built i >> believe. >> >> You can also include a custom modules.conf in your package and replace >> that by the one that is generated before you actually compile the >> policy. > > I suggest the above, rather than deleting files out of the tree. ?This > is one of the reasons we have a modules.conf for the policy. ?The 'make > conf' target will create a modules.conf if you don't have one. > I have created the modules.conf and things are progressing. What I am finding say I enable module ssh, now it wants me to enable the mail module also. Now is it considered right thing to do go ahead and just edit ssh.if file and take out mta_getattr_spool($1_t) or there is better way to untangle the interdependency between the modules? Should I introduce a boolean variable in policy/booleans.conf and make it tunable_policy('platform_has_mail', .. and send out the change for diff in case someone else might be interested? -Sam