Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp85153pxt; Wed, 11 Aug 2021 15:15:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxLyBFtahW2YguBBpjUUmypGKw8lpcFm2LY+CFKHWLZefYxh71W5L3DwQfKuz1r2Xl6iqCq X-Received: by 2002:a17:906:410c:: with SMTP id j12mr635916ejk.553.1628720127774; Wed, 11 Aug 2021 15:15:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628720127; cv=none; d=google.com; s=arc-20160816; b=xsP9TSNwxdN3BlINM2Kvsu5hwlZ6a9I9B/Bvadb7fpBPE/Tk000fq2x8JXU67XTiHd jwv9DWh1VbDmftXiFCj5JAlwwHQ91WRl/q+HfSc6Dv/1rtW+9hcYeEuKEKNv7yRdrpId b4UCarkYWhGW3b3fZ5CgqAKkyRFZDc+nzNUH2ol5YlQ9M6JN0UggDrKbWsXA+IDChqWv rKziia4WhOxI9cVC0Rv7WfgU/QFk5BzqKeLAbZzd1qQ5madjdgKgdVydtOJpvGp3HgnJ U8wmZ03nsaV1qRn3x2M1QmTG+tiOqKB6jGAJoJVWeF1rzJefTHtxyzwl/5Uu/jLNlRj0 v7QQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=opZ5L8p0n4kO6lkWQ7DPF9AYdc+mniwmw6A3WoNnsUo=; b=TasMvByR2IwBIELvDQEbU3hErMRsHGK4wobckzjckGCzyjiRw1jR6S0FSEyYGkgXrk TiGwIgvTDKoZCoSC2LwM7j8VJnmxBHbqCPwhDML3biQi3dHnsPlOfR1VxLo+/lCshVjN fFBN08xBmHjeO+sE1bEu5810U8W5ji2ItSqg/I74695D+Ro03X5XG5EU8hhNRSOfYvyM wkX5U3UqAp6TS0u5SEwjyZqWnn4UpGkoVsNn+v/Koakfl5CdHY9kI5HZ9XKRdluwnKVK aYDIaLYk2lsjAwxWTBEo/Er8ZEIQiEsDSmd8HssCquNrgmj9aA8EacRR6IRglNGDnz91 sNjQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=v6jIKv2i; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p7si523861edw.488.2021.08.11.15.15.19; Wed, 11 Aug 2021 15:15:27 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=v6jIKv2i; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232335AbhHKWPj (ORCPT + 20 others); Wed, 11 Aug 2021 18:15:39 -0400 Received: from yunyun.fuwafuwatime.moe ([107.191.99.165]:60556 "EHLO yunyun.fuwafuwatime.moe" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232226AbhHKWPj (ORCPT ); Wed, 11 Aug 2021 18:15:39 -0400 X-Greylist: delayed 462 seconds by postgrey-1.27 at vger.kernel.org; Wed, 11 Aug 2021 18:15:39 EDT Received: from megumin.fuwafuwatime.moe (c-174-50-100-124.hsd1.ga.comcast.net [174.50.100.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by yunyun.fuwafuwatime.moe (Postfix) with ESMTPSA id 4B709C1778 for ; Wed, 11 Aug 2021 18:07:33 -0400 (EDT) Received: from localhost (bubbles.localdomain [192.168.1.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by megumin.fuwafuwatime.moe (Postfix) with ESMTPSA id A180B43BDF for ; Wed, 11 Aug 2021 18:07:31 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concord.sh; s=dkim; t=1628719651; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=opZ5L8p0n4kO6lkWQ7DPF9AYdc+mniwmw6A3WoNnsUo=; b=v6jIKv2inmwRbKDqpK2fg3RU3Vty7myEt4f5QD0DwZVsPYnLiBgwYwrxVmdRBOUlgKmz+W bcWc5TbNYvVLNby5EPqTHDjU+QpPEsTuvu5BEhX2Gyo6YLp4iI55jw0s2mpKBnkM4nJeuM ioVBCgZ+ChFru9CNefPkqEpoXzM7q5L0VZD+2QLsdlzpltFUN9qMS95IRsieyHBeirdrJv seysXGaPu1h4TSxgW0R5VgnVGcjQPN3e8Y+zPgRj2GtKKnzW+H8q7/CxFsYnZ1N48FPoGV pYRqzFiOqrWTnSwEVv8wTL5Mc9Koysnk5W+EjH5brGtD8tQGBbOE5FuCk0y4Cg== Date: Wed, 11 Aug 2021 18:07:28 -0400 From: Kenton Groombridge To: selinux-refpolicy@vger.kernel.org Subject: [RFC] containers module in refpolicy Message-ID: <20210811220728.erzu5drv6zlh2tpg@bubbles> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Authentication-Results: ORIGINATING; auth=pass smtp.auth=me@concord.sh smtp.mailfrom=me@concord.sh X-Spam-Status: No, score=0.40 Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org At this time refpolicy does not have much (if any) support for various container runtimes such as docker or podman. An issue was raised on container-selinux[1] about the possibility of allowing it to be built against refpolicy, but the question came up of whether or not it would be a better idea to instead introduce such a module specifically in refpolicy. Upstream seems to be open to the idea of making container-selinux work with refpolicy, but I worry that the task of maintaining the module will be more work in the long run. What are your thoughts?