Hi!
I would like to introduce the latestchanges inthe docker selinux policy.
In Fedora Rawhide and 23, selinux-policyfor dockeris shipped separately
as adocker sub-package. This is quite a problem when we want to add
ruleslike: /"docker_stream_connect(abrt_t)" /to distro policy/. /The
abrt policy is shipped in theselinux-policy package but
thedocker_stream_connectinterfaceis shipped in thedocker-selinux
package. So we cannot add this rule totheabrt policy because of the
docker interface notbeingdefined during the selinux-policy build.
The solution is that we movethe docker selinux interfaces
totheselinux-policy package and the rest ofthefiles isshipped in
thedocker-selinux package.
The disadvantage of this solution is that everytime we build a new
selinux-policy package we need to download the latestdocker selinux-policy.
Thesechanges have beenpushed to Fedora Rawhide, so please,if you find
any problem,let me know!
Thank you!
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.