strict policy

[Todd Merritt]

I'm getting started with selinux on FC 4.  I'm using the strict policy,
but I'd like to restrict it further so that users can only execute a
handful of commands.  I've tried replacing full_user_role(user_t) with
limit_user role, but the drew assertion errors when trying to load the
policy, and I tried removing restricting the can_exec in both full and
limited_user_role macros in macros/user_macros.te, but (at least from
looking at audit to allow) none of this seems to be getting me where I
want to be.  What is the beast way to remove all access from user_t so
that I can add in the commands I want them to be able to run ?

Thanks,
Todd