|
Hi!
I would like to introduce
the latest changes in the docker selinux policy. In
Fedora Rawhide and 23, selinux-policy for docker is shipped separately as
a docker sub-package. This
is quite a problem when we want to add rules like: "docker_stream_connect(abrt_t)"
to distro
policy.
The abrt policy is shipped in the selinux-policy package
but the docker_stream_connect interface is shipped in the docker-selinux package.
So we cannot add this rule to the abrt policy because of the docker interface not being defined during the selinux-policy build.
The solution is that we move the docker selinux interfaces
to the selinux-policy package
and the rest of the files is shipped in the docker-selinux package.
The disadvantage of this
solution is that everytime we build a new selinux-policy package
we need to download the latest docker selinux-policy.
These changes have been pushed to Fedora Rawhide,
so please, if you find any problem, let me know!
Thank you!
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
|
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
