Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp594335pxt; Thu, 12 Aug 2021 05:35:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy02Xgvxtf5rw7HqepcWPV8mCUREx/HNiIhR01ZFO6pyakPx2KY58lwvTr43/yLg/LG6B9n X-Received: by 2002:a02:c9c4:: with SMTP id c4mr3622633jap.67.1628771708817; Thu, 12 Aug 2021 05:35:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628771708; cv=none; d=google.com; s=arc-20160816; b=eCI3EebvIGTHB0TD9nQrHxQwRhv55qt7S4Tpht9wq2x7u+6vp+rfpcgCdcWzOhDmPF Qh4fHT85NE3OrjBqExEHuYi0084w7RUzSiqA83YU9PQ6oqyZGiUUYmY4vZ8X+/1xCJNI cCSq86O7E0X/YxOmdLtNZ868LGSnP6oCx/8eGMLrclg5ElXXSp6uAt8f2MpNo69gwPJJ QKP8zVmQXxqVlYcGTxW899mQIeWMmf4tW0QgEoZ3ArSNja6thtHEg2GK6N9yTmHTG3Wu KyrLez7MOI8D9vJkbmhRFYEg1mauTGooR3Er7qooVJ4vu5V/xY/j1/tcCxTUjooSXpBV MnjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:to:from:date:dkim-signature; bh=IgE0zuTDQuUFo5/Lq45DudzihQzKjvbN1R/LtcWpU2s=; b=DISemXpQEUZWs5to7/FqaPY/WvX0qkdIgpBXLbw0hFJt8qXt/8x+vJkVqqrZDHDgcv /FWlAfXke/X6DYfkbDUmEAGIqQFaX1+ac3Mea4H7T+nvh/t/fwCKt6QwE6jgbimjLlKJ RBa8QyfzrAXm7wqTSNZ1vQPWQwYIeKkXJE65UXtam8oDSe4F6/NTHKFv8eeTARigdNb1 cNW60FuNDAiE5Ev7nzuzB18X8GL8Z4PxsUVW04jdJC3DaFqnT2ztz/xx5ucQ3z4PNd68 Wm/s2WABJnuTn7b129mvM1ax6gPW4/ocQIGvLrjzBSoezu8C/l+jSaFlDCjSqUvZg1jr 522Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=AX03Guhu; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u2si3192455jah.8.2021.08.12.05.35.04; Thu, 12 Aug 2021 05:35:08 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=AX03Guhu; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236500AbhHLLzl (ORCPT + 20 others); Thu, 12 Aug 2021 07:55:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41118 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235145AbhHLLzl (ORCPT ); Thu, 12 Aug 2021 07:55:41 -0400 X-Greylist: delayed 49661 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Thu, 12 Aug 2021 04:55:16 PDT Received: from yunyun.fuwafuwatime.moe (yunyun.fuwafuwatime.moe [IPv6:2604:180:2:42f::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 32E5DC061765 for ; Thu, 12 Aug 2021 04:55:16 -0700 (PDT) Received: from megumin.fuwafuwatime.moe (c-174-50-100-124.hsd1.ga.comcast.net [174.50.100.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by yunyun.fuwafuwatime.moe (Postfix) with ESMTPSA id 3E7CCC1778; Thu, 12 Aug 2021 07:55:13 -0400 (EDT) Received: from localhost (bubbles.localdomain [192.168.1.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by megumin.fuwafuwatime.moe (Postfix) with ESMTPSA id 0130643BDF; Thu, 12 Aug 2021 07:55:11 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concord.sh; s=dkim; t=1628769312; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=IgE0zuTDQuUFo5/Lq45DudzihQzKjvbN1R/LtcWpU2s=; b=AX03GuhujwSRpL7rNmTeE6s729b3YBZ5oEEVt83B859Eadh/W6Iwb1Qntm60pAUcchNQTj mDqOTFbXKBmUl/pooKeX2XOvItDZlAdJ8WoWGMsOfxdWaxxPcUY1D4vD6m5MBKjPXWCXMN dp3uQxoruHjtc1dA6YX5K0Yddi6XxFxU+HDklWefTz4uj+JS8vLueYiHQhrF4VIjSOdltW OFnMleYFgKRSlwqIwX0mLrGMkLOlshaA768ZFFtR8qHeERLK1TZgHBdoBsE6IAPAV0fcZM ohYrZCrkjMA1mDtAz7sh94LTwTtIG1RJDHgayGNXc2p4koBzu8uaqJ8WecSgTw== Date: Thu, 12 Aug 2021 07:55:08 -0400 From: Kenton Groombridge To: selinux-refpolicy@vger.kernel.org, Russell Coker Subject: Re: [RFC] containers module in refpolicy Message-ID: <20210812115508.2girvixrcowy4ytg@bubbles> References: <20210811220728.erzu5drv6zlh2tpg@bubbles> <1926875.vxbSVt8UrT@xev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1926875.vxbSVt8UrT@xev> Authentication-Results: ORIGINATING; auth=pass smtp.auth=me@concord.sh smtp.mailfrom=me@concord.sh X-Spam-Status: No, score=-3.60 Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 21/08/12 03:22PM, Russell Coker wrote: > On Thursday, 12 August 2021 8:07:28 AM AEST Kenton Groombridge wrote: > > At this time refpolicy does not have much (if any) support for various > > container runtimes such as docker or podman. An issue was raised on > > container-selinux[1] about the possibility of allowing it to be built > > against refpolicy, but the question came up of whether or not it would > > be a better idea to instead introduce such a module specifically in > > refpolicy. Upstream seems to be open to the idea of making > > container-selinux work with refpolicy, but I worry that the task of > > maintaining the module will be more work in the long run. > > > > What are your thoughts? > > We have more than a few policy modules that aren't used by the regular > contributors to refpolicy and which aren't well maintained. Adding one more > is no big deal. > > Generally having a module in upstream policy that does most of what you want > is better than nothing, you can just have a local module to do the remainder. > When the types needed are defined it removes the potential compatibility > issues of different implementations. > > Where is the [1] reference? Looks like I forgot to include it. The upstream issue is here: https://github.com/containers/container-selinux/issues/113 > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ >