Add support for container runtimes (podman, docker, etc) (or container-selinux support)

[0xC0ncord]

Container runtime support is currently missing in refpolicy. An issue was opened at container-selinux to bring the possibility to build it against refpolicy, but doing so presents some problems that need reworking. The idea to make container-selinux compatible with refpolicy was the originally proposed solution, but it may instead be wiser to begin work on a container module in refpolicy itself, as to avoid the many incompatibilities or to avoid rules deemed potentially too permissive in refpolicy, etc.

Either way, I am opening this issue to bring visibility on this, as overall support for container runtimes in refpolicy seems to be reaching high demand.

container-selinux issue: containers/container-selinux#113

[pebenito]

it may instead be wiser to begin work on a container module in refpolicy itself, as to avoid the many incompatibilities or to avoid rules deemed potentially too permissive in refpolicy, etc.

I'm open to further comments. I could see going either way.

"Build container-selinux with standard refpolicy"

That should be relatively straight-forward to do. Identify the current issues and address them in "container-selinux" where possible and in refpolicy where needed. Should not be too intrusive?

Whether refpolicy should have its own container policy seems to be a different question to me.

[pebenito]

Perhaps. But it also influenced by container-selinux and if it works and is considered sufficient.

[pebenito]

It would probably be best to discuss on the refpolicy mail list to get broader opinions.