At this time refpolicy does not have much (if any) support for various container runtimes such as docker or podman. An issue was raised on container-selinux[1] about the possibility of allowing it to be built against refpolicy, but the question came up of whether or not it would be a better idea to instead introduce such a module specifically in refpolicy. Upstream seems to be open to the idea of making container-selinux work with refpolicy, but I worry that the task of maintaining the module will be more work in the long run. What are your thoughts?
