[RFE] new package: sec-policy/selinux-container

[tormath1]

Current situation

For SELinux, we currently use the following policies with custom patches:

• sec-policy/selinux-virt
• sec-policy/selinux-unconfined
• sec-policy/selinux-base

In the SELinux effort, it would be nice to port the following policy: https://github.com/containers/container-selinux to the OS to be aligned with an upstream reference and contribute to it.

Impact

• no need to maintain custom patches
• up-to-date with an official containers SELinux policy
• contribute to the containers/container-selinux

Implementation options

It seems there is no ebuild for this policy - we could contribute to the upstream ::gentoo to provide it then add it to ::portage-stable.

Additional information

• upstream issue to track addition of sec-policy/selinux-container to ::gentoo: https://bugs.gentoo.org/832416
• see also this issue: kubernetes: flannel init container is crashing #476
• it seems container-selinux is on its way to be merged to refpolicy (Add support for container runtimes (podman, docker, etc) (or container-selinux support) SELinuxProject/refpolicy#397)

[tormath1]

containers SELinux module has been added to refpolicy.

[tormath1]

sec-policy/selinux-container has been added upstream: https://github.com/gentoo/gentoo/tree/master/sec-policy/selinux-container