From: guido@trentalancia.com (Guido Trentalancia) Date: Fri, 10 Jun 2011 20:07:37 +0200 Subject: [refpolicy] What is the best way to trim out modules, apps from refpolicy when building monolithic policy. In-Reply-To: References: <1307721943.2645.21.camel@localhost.localdomain> <4DF24786.7000605@tresys.com> Message-ID: <1307729260.2804.1.camel@vortex> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Sam ! On Fri, 2011-06-10 at 10:52 -0700, Sam Gandhi wrote: > On Fri, Jun 10, 2011 at 9:34 AM, Christopher J. PeBenito > wrote: > > On 06/10/11 12:05, Dominick Grift wrote: > >> Wnen you do "make config" it creates a modules.conf i believe. You can > >> remove modules from that file and then those should not be built i > >> believe. > >> > >> You can also include a custom modules.conf in your package and replace > >> that by the one that is generated before you actually compile the > >> policy. > > > > I suggest the above, rather than deleting files out of the tree. This > > is one of the reasons we have a modules.conf for the policy. The 'make > > conf' target will create a modules.conf if you don't have one. > > > > I have created the modules.conf and things are progressing. What I am > finding say I enable module ssh, now it wants me to enable the mail > module also. > > Now is it considered right thing to do go ahead and just edit ssh.if > file and take out mta_getattr_spool($1_t) or there is better way to > untangle the interdependency between the modules? Perhaps you're looking for optional_policy() ? > Should I introduce a boolean variable in policy/booleans.conf and make > it tunable_policy('platform_has_mail', .. and send out the change for > diff in case someone else might be interested? > > -Sam Guido