You can come to tomoyo-dev-en if you think this thread will get longer. Horvath Andras wrote: > But i don't change domain paths at all. I don't remove or rename any > domain either, only add one. Maximum i change use_profile value. Then, no problem. You can append entries in newer policy and then delete entries which are not in newer policy. For example, if older policy is like <kernel> /usr/sbin/httpd allow_read /var/www/html/index.html allow_read /var/www/html/welcome.html and newer policy is like <kernel> /usr/sbin/httpd allow_read /var/www/html/\*.html , you can do select <kernel> /usr/sbin/httpd allow_read /var/www/html/\*.html delete allow_read /var/www/html/index.html delete allow_read /var/www/html/welcome.html to replace older policy with newer policy (like tomoyo-loadpolicy does).