* [RFC] containers module in refpolicy
@ 2021-08-11 22:07 Kenton Groombridge
2021-08-12 5:22 ` Russell Coker
0 siblings, 1 reply; 3+ messages in thread
From: Kenton Groombridge @ 2021-08-11 22:07 UTC (permalink / raw)
To: selinux-refpolicy
At this time refpolicy does not have much (if any) support for various
container runtimes such as docker or podman. An issue was raised on
container-selinux[1] about the possibility of allowing it to be built
against refpolicy, but the question came up of whether or not it would
be a better idea to instead introduce such a module specifically in
refpolicy. Upstream seems to be open to the idea of making
container-selinux work with refpolicy, but I worry that the task of
maintaining the module will be more work in the long run.
What are your thoughts?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [RFC] containers module in refpolicy
2021-08-11 22:07 [RFC] containers module in refpolicy Kenton Groombridge
@ 2021-08-12 5:22 ` Russell Coker
2021-08-12 11:55 ` Kenton Groombridge
0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2021-08-12 5:22 UTC (permalink / raw)
To: selinux-refpolicy, Kenton Groombridge
On Thursday, 12 August 2021 8:07:28 AM AEST Kenton Groombridge wrote:
> At this time refpolicy does not have much (if any) support for various
> container runtimes such as docker or podman. An issue was raised on
> container-selinux[1] about the possibility of allowing it to be built
> against refpolicy, but the question came up of whether or not it would
> be a better idea to instead introduce such a module specifically in
> refpolicy. Upstream seems to be open to the idea of making
> container-selinux work with refpolicy, but I worry that the task of
> maintaining the module will be more work in the long run.
>
> What are your thoughts?
We have more than a few policy modules that aren't used by the regular
contributors to refpolicy and which aren't well maintained. Adding one more
is no big deal.
Generally having a module in upstream policy that does most of what you want
is better than nothing, you can just have a local module to do the remainder.
When the types needed are defined it removes the potential compatibility
issues of different implementations.
Where is the [1] reference?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [RFC] containers module in refpolicy
2021-08-12 5:22 ` Russell Coker
@ 2021-08-12 11:55 ` Kenton Groombridge
0 siblings, 0 replies; 3+ messages in thread
From: Kenton Groombridge @ 2021-08-12 11:55 UTC (permalink / raw)
To: selinux-refpolicy, Russell Coker
On 21/08/12 03:22PM, Russell Coker wrote:
> On Thursday, 12 August 2021 8:07:28 AM AEST Kenton Groombridge wrote:
> > At this time refpolicy does not have much (if any) support for various
> > container runtimes such as docker or podman. An issue was raised on
> > container-selinux[1] about the possibility of allowing it to be built
> > against refpolicy, but the question came up of whether or not it would
> > be a better idea to instead introduce such a module specifically in
> > refpolicy. Upstream seems to be open to the idea of making
> > container-selinux work with refpolicy, but I worry that the task of
> > maintaining the module will be more work in the long run.
> >
> > What are your thoughts?
>
> We have more than a few policy modules that aren't used by the regular
> contributors to refpolicy and which aren't well maintained. Adding one more
> is no big deal.
>
> Generally having a module in upstream policy that does most of what you want
> is better than nothing, you can just have a local module to do the remainder.
> When the types needed are defined it removes the potential compatibility
> issues of different implementations.
>
> Where is the [1] reference?
Looks like I forgot to include it. The upstream issue is here:
https://github.com/containers/container-selinux/issues/113
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-12 11:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-11 22:07 [RFC] containers module in refpolicy Kenton Groombridge
2021-08-12 5:22 ` Russell Coker
2021-08-12 11:55 ` Kenton Groombridge
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.