Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp594335pxt;
        Thu, 12 Aug 2021 05:35:09 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy02Xgvxtf5rw7HqepcWPV8mCUREx/HNiIhR01ZFO6pyakPx2KY58lwvTr43/yLg/LG6B9n
X-Received: by 2002:a02:c9c4:: with SMTP id c4mr3622633jap.67.1628771708817;
        Thu, 12 Aug 2021 05:35:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1628771708; cv=none;
        d=google.com; s=arc-20160816;
        b=eCI3EebvIGTHB0TD9nQrHxQwRhv55qt7S4Tpht9wq2x7u+6vp+rfpcgCdcWzOhDmPF
         Qh4fHT85NE3OrjBqExEHuYi0084w7RUzSiqA83YU9PQ6oqyZGiUUYmY4vZ8X+/1xCJNI
         cCSq86O7E0X/YxOmdLtNZ868LGSnP6oCx/8eGMLrclg5ElXXSp6uAt8f2MpNo69gwPJJ
         QKP8zVmQXxqVlYcGTxW899mQIeWMmf4tW0QgEoZ3ArSNja6thtHEg2GK6N9yTmHTG3Wu
         KyrLez7MOI8D9vJkbmhRFYEg1mauTGooR3Er7qooVJ4vu5V/xY/j1/tcCxTUjooSXpBV
         MnjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:to:from:date:dkim-signature;
        bh=IgE0zuTDQuUFo5/Lq45DudzihQzKjvbN1R/LtcWpU2s=;
        b=DISemXpQEUZWs5to7/FqaPY/WvX0qkdIgpBXLbw0hFJt8qXt/8x+vJkVqqrZDHDgcv
         /FWlAfXke/X6DYfkbDUmEAGIqQFaX1+ac3Mea4H7T+nvh/t/fwCKt6QwE6jgbimjLlKJ
         RBa8QyfzrAXm7wqTSNZ1vQPWQwYIeKkXJE65UXtam8oDSe4F6/NTHKFv8eeTARigdNb1
         cNW60FuNDAiE5Ev7nzuzB18X8GL8Z4PxsUVW04jdJC3DaFqnT2ztz/xx5ucQ3z4PNd68
         Wm/s2WABJnuTn7b129mvM1ax6gPW4/ocQIGvLrjzBSoezu8C/l+jSaFlDCjSqUvZg1jr
         522Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@concord.sh header.s=dkim header.b=AX03Guhu;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u2si3192455jah.8.2021.08.12.05.35.04;
        Thu, 12 Aug 2021 05:35:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@concord.sh header.s=dkim header.b=AX03Guhu;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236500AbhHLLzl (ORCPT <rfc822;sonicqiang@gmail.com> + 20 others);
        Thu, 12 Aug 2021 07:55:41 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41118 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235145AbhHLLzl (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 12 Aug 2021 07:55:41 -0400
X-Greylist: delayed 49661 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Thu, 12 Aug 2021 04:55:16 PDT
Received: from yunyun.fuwafuwatime.moe (yunyun.fuwafuwatime.moe [IPv6:2604:180:2:42f::2])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 32E5DC061765
        for <selinux-refpolicy@vger.kernel.org>; Thu, 12 Aug 2021 04:55:16 -0700 (PDT)
Received: from megumin.fuwafuwatime.moe (c-174-50-100-124.hsd1.ga.comcast.net [174.50.100.124])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
        (No client certificate requested)
        by yunyun.fuwafuwatime.moe (Postfix) with ESMTPSA id 3E7CCC1778;
        Thu, 12 Aug 2021 07:55:13 -0400 (EDT)
Received: from localhost (bubbles.localdomain [192.168.1.101])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
        (No client certificate requested)
        by megumin.fuwafuwatime.moe (Postfix) with ESMTPSA id 0130643BDF;
        Thu, 12 Aug 2021 07:55:11 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concord.sh; s=dkim;
        t=1628769312;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=IgE0zuTDQuUFo5/Lq45DudzihQzKjvbN1R/LtcWpU2s=;
        b=AX03GuhujwSRpL7rNmTeE6s729b3YBZ5oEEVt83B859Eadh/W6Iwb1Qntm60pAUcchNQTj
        mDqOTFbXKBmUl/pooKeX2XOvItDZlAdJ8WoWGMsOfxdWaxxPcUY1D4vD6m5MBKjPXWCXMN
        dp3uQxoruHjtc1dA6YX5K0Yddi6XxFxU+HDklWefTz4uj+JS8vLueYiHQhrF4VIjSOdltW
        OFnMleYFgKRSlwqIwX0mLrGMkLOlshaA768ZFFtR8qHeERLK1TZgHBdoBsE6IAPAV0fcZM
        ohYrZCrkjMA1mDtAz7sh94LTwTtIG1RJDHgayGNXc2p4koBzu8uaqJ8WecSgTw==
Date:   Thu, 12 Aug 2021 07:55:08 -0400
From:   Kenton Groombridge <me@concord.sh>
To:     selinux-refpolicy@vger.kernel.org,
        Russell Coker <russell@coker.com.au>
Subject: Re: [RFC] containers module in refpolicy
Message-ID: <20210812115508.2girvixrcowy4ytg@bubbles>
References: <20210811220728.erzu5drv6zlh2tpg@bubbles>
 <1926875.vxbSVt8UrT@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1926875.vxbSVt8UrT@xev>
Authentication-Results: ORIGINATING;
        auth=pass smtp.auth=me@concord.sh smtp.mailfrom=me@concord.sh
X-Spam-Status: No, score=-3.60
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 21/08/12 03:22PM, Russell Coker wrote:
> On Thursday, 12 August 2021 8:07:28 AM AEST Kenton Groombridge wrote:
> > At this time refpolicy does not have much (if any) support for various
> > container runtimes such as docker or podman. An issue was raised on
> > container-selinux[1] about the possibility of allowing it to be built
> > against refpolicy, but the question came up of whether or not it would
> > be a better idea to instead introduce such a module specifically in
> > refpolicy. Upstream seems to be open to the idea of making
> > container-selinux work with refpolicy, but I worry that the task of
> > maintaining the module will be more work in the long run.
> > 
> > What are your thoughts?
> 
> We have more than a few policy modules that aren't used by the regular 
> contributors to refpolicy and which aren't well maintained.  Adding one more 
> is no big deal.
> 
> Generally having a module in upstream policy that does most of what you want 
> is better than nothing, you can just have a local module to do the remainder.  
> When the types needed are defined it removes the potential compatibility 
> issues of different implementations.
> 
> Where is the [1] reference?

Looks like I forgot to include it. The upstream issue is here:

https://github.com/containers/container-selinux/issues/113

> 
> -- 
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/
>