"container_t like" types (container_t_domain)

[vmojzis]

Hi,
we had multiple requests for the ability to create a new container type, which would be a clone of container_t with a few additional rules. Udica has the ability to add rules based on AVCs, but the policy blocks it uses are a small subset of container_t. The customers have many containers in OSP, which are tested to work under container_t, and they want to add kerberos authentication, or similar tweaks.
I thought about introducing a new attribute (e.g. container_t_domain) that would have all the permissions of container_t, which udica could then use to create the custom types.
Would you accept such a change in container-selinux (I'll implement it, just need to know it has a chance of being accepted)? I am open to other suggestions as well.
Thank you!

[rhatdan]

container_domain already exists.

[vmojzis]

I know it does, but it is not granted the same permissions as container_t (container_t has a lot of additional rules). Udica already uses conainer_domain in the base_container policy block.
Currently I have no reliable way to "clone" container_t without copying all the rules container_t is assigned directly (without the use of an attribute) and maintaining this set of rules separately (which would mean we'd have to actively track changes to container-selinux).

[rhatdan]

It would probably be best to add an interface with the additional container_t rules and then allow users to set
type mycontainer_t, container_domain;
container_addition_rules(mycontainer_t)

[vmojzis]

That would work, but would require selinux-policy-devel, policycoreutils-devel etc. on the deployment side. With an attribute (or a set of attributes) we can create the custom types using CIL.