Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp7749205rwl; Thu, 23 Mar 2023 08:15:18 -0700 (PDT) X-Google-Smtp-Source: AK7set96RBfofeGzAq1o5loC7vENzZ1hCC6T+sJaVduiAJxJVeyLeuTGbNbUzHqtyW1LD1NgN1vG X-Received: by 2002:aa7:c405:0:b0:4fa:2363:6806 with SMTP id j5-20020aa7c405000000b004fa23636806mr5448044edq.17.1679584518132; Thu, 23 Mar 2023 08:15:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679584518; cv=none; d=google.com; s=arc-20160816; b=fKCMCkS6g3qI3FuqFH7WvIlrKPF2HJhDtjJ/6wuuxS94xu7ZQuRnGVJ3m6Bd+RPM8M w75NUKrG3H0WiBMDUPIeebsmTVBaZsQ8ryHbzqf1fkC1Z8jg2B1huf/WHkx7VsSEtQmo XUR6b7SXJEaPPrrJJM88jYyiYqBWQCVGSFqZ8Wk26MzIDBd1cmWqW3JESQonoYzcfX90 AiPrHwlejai+R65f0Gdj8YroKfiQei54DrcaR1TEpaR5PBOhMmkZCSUrtKYhj0ON82vK Jmvlgr8W9H0t/aILP4+kEg8sQx04PzgvhYEDYDfYLECsEGaasnD1IJJY/CHcckoms4ki E0Vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:date:reply-to :subject:to:from:dkim-signature; bh=mboZJeL19chbuHtcCB8sPcYdk2ywBrBHE8IiDU/9nTA=; b=mFXQhNltTSGJ/33K/8k+a18chwSiPE0GOAJlxngM4WJvOq0XPXdq6/u7gDzaZZE/OY d+d1p+JUJlwk2dt5hhfOeKieroQ25Ue2rKP9GPSeFhdk7hteIbEnLSwD83dafAnL8Xso ThLCLHqY9ORJV65qyhNJJr2rqiPMM06ioSVf0QC14Oc+2TW7oJECwLzeUN4YGao0CjyG k2xZY6HuiwEvSuh+F9vRm4eS4Sz9HXw8oHSNpMgTsS4kB0aDS7c0b3Nah/YFAGKdveYo U21p6KzKPyEGElMISjgshAavVnO+v6xCh0vtfP2NuMpGTJDCiHCuRwSdvYo5/lNLNbgv iwpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=itZ0IS3e; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=defensec.nl Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y6-20020aa7c246000000b004acd2bb0015si19041482edo.346.2023.03.23.08.14.48; Thu, 23 Mar 2023 08:15:18 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=itZ0IS3e; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=defensec.nl Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232004AbjCWPLp (ORCPT + 21 others); Thu, 23 Mar 2023 11:11:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53952 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232001AbjCWPLo (ORCPT ); Thu, 23 Mar 2023 11:11:44 -0400 X-Greylist: delayed 266 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Thu, 23 Mar 2023 08:10:53 PDT Received: from markus.defensec.nl (markus.defensec.nl [IPv6:2a10:3781:2099::123]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C912628846 for ; Thu, 23 Mar 2023 08:10:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=defensec.nl; s=default; t=1679583969; bh=eydSjlVGkMTtQsVcxKAnqsEMB9MKsDETXFlHn8gJzxQ=; h=From:To:Subject:Reply-To:Date:From; b=itZ0IS3edFK+MVKl+BA21tGKOX1jrMI5jjIaDGaT5iIBBTTogEy925+AY9Dy7G+Qj g1b3lNYwWiBMDAsXi1FSR+DSiwf05r8IIxniHlswLKfl67s2hOn5kc5m2KMwuCVz5h OZoTV3uveLjeqrV5QZDq5aQQKeFDa4ANUFNZkOpg= Received: from paulus (paulus.lan [IPv6:2a10:3781:2099::515]) by markus.defensec.nl (Postfix) with ESMTPSA id D95FB3CC for ; Thu, 23 Mar 2023 16:06:09 +0100 (CET) From: Dominick Grift To: selinux-refpolicy@vger.kernel.org Subject: [refpolicy3 RFC] Split broad file contexts Reply-To: d83ef10f-ae8b-08d2-55b7-66f2cf12ed9a@linux.microsoft.com Date: Thu, 23 Mar 2023 16:06:09 +0100 Message-ID: <87bkkjcxsu.fsf@defensec.nl> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org I agree with Metthew. In dssp5-debian I take this even further and I generally prefer to use extend over optional where possible. I only use optional if both module do not depend on eachother. I do this for various reasons (aside from what Matthew mentioned) * Keeps the output of semodule -vvv cleaner if you disable modules * I try to avoid optional because of its limitations * Keeps the policy and file_contexts cleaner/more efficient when you disable modules -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift