On Thu, May 13, 2021 at 10:14:38AM +0200, Laurent Bigonville wrote: > From a SELinux policy perspective, the main problem is that the "container" > policy is 100% Red Hat specific and has not been upstreamed and the > difficulty is that the RH SELinux policy is heavily patched compared to the > debian and upstream one.
Hi folks, refpolicy has a 'container' module that appears to work, it's just not built by default. Steps taken to test it: 1. Edit debian/modules.conf.default, adding 'container = module' 2. Run 'debian/rules build-default-policy' 3. Run 'semodule -i debian/build-default/container.pp' 4. Start a container with 'podman run --rm -it docker.io/library/debian:11 sleep inf' 5. Check the context of the sleep process with 'ps -Z <pid>' Any chance that module could be built by default? -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
