Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp323564pxt; Wed, 11 Aug 2021 22:33:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxsOEhPvUscW4zaM1THIU2xmpwSz0T7IddVoVp9rM6cndfmIGyv55UlU6mX+hHA1HFrbcCf X-Received: by 2002:aa7:c795:: with SMTP id n21mr3365482eds.182.1628746402223; Wed, 11 Aug 2021 22:33:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628746402; cv=none; d=google.com; s=arc-20160816; b=QQpWrVPVaFI69eJj44Zp1Bl+uDrCTmuSyfeajKSne8E+ys+EHihIqjwuAQ8xIPyqgT fLu2yXJyqxghGj5J5bAgA/odQA3VC2um+9ZhDy/ZRzqvhcpIcM+/Hz+NgUDCR5yiZ2Wr 3CHg6z8MVxMs2Sq8qBxzy8ZkVSlhE6HzjpGo+fB3RAlBRKgIm2xS4UcR8cU5kgEdmAZu hTriJ0vw45jmvd7/0hBrwYNoJEzsm1EIQJshD1TbPAL71FQx1dk45PhuFMbtoK0Kd9fv K+CJnP4GI2sAQty2osXDwTyEdMpsDewLdR5uFKg6jP14XzvbbEXLKKdnzLCtVGWoCgd9 BaQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:reply-to:to:from :dkim-signature; bh=O/PjoYltVrHPPyXpIqZURbrJacBMPmLGSVpW+U6aC1w=; b=Mhmk26OYnqjj/QLTJCemafKWCjZgD+OVvNWP8n1QWnujYiKgi3vmIdHRmOMHmMtXX1 hmuvDQS+MaKtGsUZ4B0cRwy1Ct0HnBd2RpNXOxbkVZpvgiBptD1PjkgcdgBHyEHbiK7Z pye7V6lPxTanlJGNIdh8FpxKUlWwbvCqc8Srz5kwg01g/BbzuQt4jZ94NcNHZ1pfU/uT +l7DQeASWvJX99BGnH2XCzKnSkjLBZjtvcF/fOyT1CU5KPLOJ+Cm7TCgq+9JB49lrsOb fwOtazLcnxxmcx4hujbT82dEgF/9KZ03esD0qFRkyhT9MNtlxIZmw69yX7beoVsdyvp8 I0Yw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=OTqFUM2c; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gb8si1571306ejc.36.2021.08.11.22.33.11; Wed, 11 Aug 2021 22:33:22 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=OTqFUM2c; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234155AbhHLFbL (ORCPT + 20 others); Thu, 12 Aug 2021 01:31:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37264 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233763AbhHLFbL (ORCPT ); Thu, 12 Aug 2021 01:31:11 -0400 X-Greylist: delayed 462 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Wed, 11 Aug 2021 22:30:46 PDT Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:201:1e6::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F29EC061765 for ; Wed, 11 Aug 2021 22:30:46 -0700 (PDT) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id A3F52F483; Thu, 12 Aug 2021 15:22:59 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1628745779; bh=O/PjoYltVrHPPyXpIqZURbrJacBMPmLGSVpW+U6aC1w=; l=1218; h=From:To:Reply-To:Subject:Date:In-Reply-To:References:From; b=OTqFUM2cFy1A97/ryXx0M++FzEiweunwFgctlTtHBYEQoU6hlEBTh4mOzcm0h7dau Os1dFsOTKgbFnrOE/gO9biRalvYp35P523/k+U0Zxe7eXoOwwY8HghqLodW6MwrO4W rsitAY0EO6ha0WX/BBUvWE4+EsmKg/fedzpWi/ck= Received: by xev.coker.com.au (Postfix, from userid 1001) id 96C3A154B5D7; Thu, 12 Aug 2021 15:22:55 +1000 (AEST) From: Russell Coker To: selinux-refpolicy@vger.kernel.org, Kenton Groombridge Reply-To: russell@coker.com.au Subject: Re: [RFC] containers module in refpolicy Date: Thu, 12 Aug 2021 15:22:55 +1000 Message-ID: <1926875.vxbSVt8UrT@xev> In-Reply-To: <20210811220728.erzu5drv6zlh2tpg@bubbles> References: <20210811220728.erzu5drv6zlh2tpg@bubbles> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Thursday, 12 August 2021 8:07:28 AM AEST Kenton Groombridge wrote: > At this time refpolicy does not have much (if any) support for various > container runtimes such as docker or podman. An issue was raised on > container-selinux[1] about the possibility of allowing it to be built > against refpolicy, but the question came up of whether or not it would > be a better idea to instead introduce such a module specifically in > refpolicy. Upstream seems to be open to the idea of making > container-selinux work with refpolicy, but I worry that the task of > maintaining the module will be more work in the long run. > > What are your thoughts? We have more than a few policy modules that aren't used by the regular contributors to refpolicy and which aren't well maintained. Adding one more is no big deal. Generally having a module in upstream policy that does most of what you want is better than nothing, you can just have a local module to do the remainder. When the types needed are defined it removes the potential compatibility issues of different implementations. Where is the [1] reference? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/