From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D04B2C4338F for ; Thu, 12 Aug 2021 05:30:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A6E8760241 for ; Thu, 12 Aug 2021 05:30:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234155AbhHLFbL (ORCPT ); Thu, 12 Aug 2021 01:31:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37264 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233763AbhHLFbL (ORCPT ); Thu, 12 Aug 2021 01:31:11 -0400 X-Greylist: delayed 462 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Wed, 11 Aug 2021 22:30:46 PDT Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:201:1e6::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F29EC061765 for ; Wed, 11 Aug 2021 22:30:46 -0700 (PDT) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id A3F52F483; Thu, 12 Aug 2021 15:22:59 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1628745779; bh=O/PjoYltVrHPPyXpIqZURbrJacBMPmLGSVpW+U6aC1w=; l=1218; h=From:To:Reply-To:Subject:Date:In-Reply-To:References:From; b=OTqFUM2cFy1A97/ryXx0M++FzEiweunwFgctlTtHBYEQoU6hlEBTh4mOzcm0h7dau Os1dFsOTKgbFnrOE/gO9biRalvYp35P523/k+U0Zxe7eXoOwwY8HghqLodW6MwrO4W rsitAY0EO6ha0WX/BBUvWE4+EsmKg/fedzpWi/ck= Received: by xev.coker.com.au (Postfix, from userid 1001) id 96C3A154B5D7; Thu, 12 Aug 2021 15:22:55 +1000 (AEST) From: Russell Coker To: selinux-refpolicy@vger.kernel.org, Kenton Groombridge Reply-To: russell@coker.com.au Subject: Re: [RFC] containers module in refpolicy Date: Thu, 12 Aug 2021 15:22:55 +1000 Message-ID: <1926875.vxbSVt8UrT@xev> In-Reply-To: <20210811220728.erzu5drv6zlh2tpg@bubbles> References: <20210811220728.erzu5drv6zlh2tpg@bubbles> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Thursday, 12 August 2021 8:07:28 AM AEST Kenton Groombridge wrote: > At this time refpolicy does not have much (if any) support for various > container runtimes such as docker or podman. An issue was raised on > container-selinux[1] about the possibility of allowing it to be built > against refpolicy, but the question came up of whether or not it would > be a better idea to instead introduce such a module specifically in > refpolicy. Upstream seems to be open to the idea of making > container-selinux work with refpolicy, but I worry that the task of > maintaining the module will be more work in the long run. > > What are your thoughts? We have more than a few policy modules that aren't used by the regular contributors to refpolicy and which aren't well maintained. Adding one more is no big deal. Generally having a module in upstream policy that does most of what you want is better than nothing, you can just have a local module to do the remainder. When the types needed are defined it removes the potential compatibility issues of different implementations. Where is the [1] reference? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/