On 21/08/12 03:22PM, Russell Coker wrote: > On Thursday, 12 August 2021 8:07:28 AM AEST Kenton Groombridge wrote: > > At this time refpolicy does not have much (if any) support for various > > container runtimes such as docker or podman. An issue was raised on > > container-selinux[1] about the possibility of allowing it to be built > > against refpolicy, but the question came up of whether or not it would > > be a better idea to instead introduce such a module specifically in > > refpolicy. Upstream seems to be open to the idea of making > > container-selinux work with refpolicy, but I worry that the task of > > maintaining the module will be more work in the long run. > > > > What are your thoughts? > > We have more than a few policy modules that aren't used by the regular > contributors to refpolicy and which aren't well maintained. Adding one more > is no big deal. > > Generally having a module in upstream policy that does most of what you want > is better than nothing, you can just have a local module to do the remainder. > When the types needed are defined it removes the potential compatibility > issues of different implementations. > > Where is the [1] reference? Looks like I forgot to include it. The upstream issue is here: https://github.com/containers/container-selinux/issues/113 > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ >
