On Thursday, 12 August 2021 8:07:28 AM AEST Kenton Groombridge wrote: > At this time refpolicy does not have much (if any) support for various > container runtimes such as docker or podman. An issue was raised on > container-selinux[1] about the possibility of allowing it to be built > against refpolicy, but the question came up of whether or not it would > be a better idea to instead introduce such a module specifically in > refpolicy. Upstream seems to be open to the idea of making > container-selinux work with refpolicy, but I worry that the task of > maintaining the module will be more work in the long run. > > What are your thoughts? We have more than a few policy modules that aren't used by the regular contributors to refpolicy and which aren't well maintained. Adding one more is no big deal. Generally having a module in upstream policy that does most of what you want is better than nothing, you can just have a local module to do the remainder. When the types needed are defined it removes the potential compatibility issues of different implementations. Where is the [1] reference? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
