Re: [PATCH][v2] selinux: Allow context mounts for unpriviliged overlayfs

From: Paul Moore <paul@paul-moore.com>
To: Dan Walsh <dwalsh@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>,
	selinux@vger.kernel.org, linux-unionfs@vger.kernel.org,
	Stephen Smalley <stephen.smalley.work@gmail.com>,
	Eric Paris <eparis@parisplace.org>,
	Miklos Szeredi <miklos@szeredi.hu>,
	Ondrej Mosnacek <omosnace@redhat.com>,
	Amir Goldstein <amir73il@gmail.com>,
	Giuseppe Scrivano <gscrivan@redhat.com>
Subject: Re: [PATCH][v2] selinux: Allow context mounts for unpriviliged overlayfs
Date: Fri, 12 Feb 2021 12:05:16 -0500	[thread overview]
Message-ID: <CAHC9VhQ+ki_OJrUsA3dF4NOqJQ7SiccMOGrHzHmGwSTiJmQCvg@mail.gmail.com> (raw)
In-Reply-To: <36bcaeb0-547b-c8aa-e552-cca05c4103b5@redhat.com>

On Fri, Feb 12, 2021 at 6:58 AM Daniel Walsh <dwalsh@redhat.com> wrote:
> On 2/11/21 18:28, Paul Moore wrote:
> > It will get merged into selinux/next *after* this upcoming merge
> > window.  I'm sorry, but -rc7 is just too late for new functionality;
> > kernel changes need to soak before hitting Linus' tree and with the
> > merge window opening in about three days that simply isn't enough
> > time.  Come on Dan, even you have to know that ...
>
> Well if that is ASAP, then fine, next window. Sadly this delays us three
> months from getting this feature out and tested, but we can live with this.

It's consistent with the policy I've been following for years at this
point, regular SELinux (and audit) kernel contributors as well as
people who follow the related lists should be well aware of this by
now.  If you look at the SELinux kernel tree you'll find this
documented in the README.md file in the top level directory; here is
the relevant excerpt:

"Patches will be merged into the subsystem's next branch during the
development cycle which extends from merge window close up until the
merge window reopens. However, it is important to note that large,
complicated, or invasive patches sent late in the development cycle
may be deferred until the next cycle. As a general rule, only small
patches or critical fixes will be merged after -rc5/-rc6."

https://github.com/SELinuxProject/selinux-kernel
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/tree/README.md

> Once it gets into a Release candidate we can push people to Rawhide to begin testing it.

As a reminder, once a patch hits the selinux/next branch it should
show up in my kernel-secnext builds within about an hour (+/- 30m
depending on the time and day).  Currently packages are only built for
Fedora Rawhide (source, x86_64, aarch64), but I still have aspirations
for providing Debian sid packages someday.

https://paul-moore.com/blog/d/2019/04/kernel_secnext_repo.html

-- 
paul moore
www.paul-moore.com