Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp7749205rwl;
        Thu, 23 Mar 2023 08:15:18 -0700 (PDT)
X-Google-Smtp-Source: AK7set96RBfofeGzAq1o5loC7vENzZ1hCC6T+sJaVduiAJxJVeyLeuTGbNbUzHqtyW1LD1NgN1vG
X-Received: by 2002:aa7:c405:0:b0:4fa:2363:6806 with SMTP id j5-20020aa7c405000000b004fa23636806mr5448044edq.17.1679584518132;
        Thu, 23 Mar 2023 08:15:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1679584518; cv=none;
        d=google.com; s=arc-20160816;
        b=fKCMCkS6g3qI3FuqFH7WvIlrKPF2HJhDtjJ/6wuuxS94xu7ZQuRnGVJ3m6Bd+RPM8M
         w75NUKrG3H0WiBMDUPIeebsmTVBaZsQ8ryHbzqf1fkC1Z8jg2B1huf/WHkx7VsSEtQmo
         XUR6b7SXJEaPPrrJJM88jYyiYqBWQCVGSFqZ8Wk26MzIDBd1cmWqW3JESQonoYzcfX90
         AiPrHwlejai+R65f0Gdj8YroKfiQei54DrcaR1TEpaR5PBOhMmkZCSUrtKYhj0ON82vK
         Jmvlgr8W9H0t/aILP4+kEg8sQx04PzgvhYEDYDfYLECsEGaasnD1IJJY/CHcckoms4ki
         E0Vw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:message-id:date:reply-to
         :subject:to:from:dkim-signature;
        bh=mboZJeL19chbuHtcCB8sPcYdk2ywBrBHE8IiDU/9nTA=;
        b=mFXQhNltTSGJ/33K/8k+a18chwSiPE0GOAJlxngM4WJvOq0XPXdq6/u7gDzaZZE/OY
         d+d1p+JUJlwk2dt5hhfOeKieroQ25Ue2rKP9GPSeFhdk7hteIbEnLSwD83dafAnL8Xso
         ThLCLHqY9ORJV65qyhNJJr2rqiPMM06ioSVf0QC14Oc+2TW7oJECwLzeUN4YGao0CjyG
         k2xZY6HuiwEvSuh+F9vRm4eS4Sz9HXw8oHSNpMgTsS4kB0aDS7c0b3Nah/YFAGKdveYo
         U21p6KzKPyEGElMISjgshAavVnO+v6xCh0vtfP2NuMpGTJDCiHCuRwSdvYo5/lNLNbgv
         iwpw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=itZ0IS3e;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=defensec.nl
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id y6-20020aa7c246000000b004acd2bb0015si19041482edo.346.2023.03.23.08.14.48;
        Thu, 23 Mar 2023 08:15:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=itZ0IS3e;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=defensec.nl
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232004AbjCWPLp (ORCPT <rfc822;sekidde@gmail.com> + 21 others);
        Thu, 23 Mar 2023 11:11:45 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53952 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232001AbjCWPLo (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 23 Mar 2023 11:11:44 -0400
X-Greylist: delayed 266 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Thu, 23 Mar 2023 08:10:53 PDT
Received: from markus.defensec.nl (markus.defensec.nl [IPv6:2a10:3781:2099::123])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C912628846
        for <selinux-refpolicy@vger.kernel.org>; Thu, 23 Mar 2023 08:10:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=defensec.nl;
        s=default; t=1679583969;
        bh=eydSjlVGkMTtQsVcxKAnqsEMB9MKsDETXFlHn8gJzxQ=;
        h=From:To:Subject:Reply-To:Date:From;
        b=itZ0IS3edFK+MVKl+BA21tGKOX1jrMI5jjIaDGaT5iIBBTTogEy925+AY9Dy7G+Qj
         g1b3lNYwWiBMDAsXi1FSR+DSiwf05r8IIxniHlswLKfl67s2hOn5kc5m2KMwuCVz5h
         OZoTV3uveLjeqrV5QZDq5aQQKeFDa4ANUFNZkOpg=
Received: from paulus (paulus.lan [IPv6:2a10:3781:2099::515])
        by markus.defensec.nl (Postfix) with ESMTPSA id D95FB3CC
        for <selinux-refpolicy@vger.kernel.org>; Thu, 23 Mar 2023 16:06:09 +0100 (CET)
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     selinux-refpolicy@vger.kernel.org
Subject: [refpolicy3 RFC] Split broad file contexts
Reply-To: d83ef10f-ae8b-08d2-55b7-66f2cf12ed9a@linux.microsoft.com
Date:   Thu, 23 Mar 2023 16:06:09 +0100
Message-ID: <87bkkjcxsu.fsf@defensec.nl>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
        DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS
        autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org


I agree with Metthew.

In dssp5-debian I take this even further and I generally prefer to use
extend over optional where possible.

I only use optional if both module do not depend on eachother.

I do this for various reasons (aside from what Matthew mentioned)

* Keeps the output of semodule -vvv cleaner if you disable modules
* I try to avoid optional because of its limitations
* Keeps the policy and file_contexts cleaner/more efficient when you disable modules

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift