|
| 1 | +# OCI go-selinux project proposal |
| 2 | + |
| 3 | +## Abstract |
| 4 | +Having a solid, battle-proven, common selinux implementation in OCI for use in and outside of runc will ensure long lasting security and interoperability throughout the container ecosystem. |
| 5 | + |
| 6 | +## Proposal |
| 7 | +Refactor and move the selinux library out of runc into a separate project: |
| 8 | + |
| 9 | +https://github.com/opencontainers/runc/tree/master/libcontainer/selinux |
| 10 | + |
| 11 | +The new project would live in the opencontainers github organization: |
| 12 | + |
| 13 | +https://github.com/opencontainers/go-selinux |
| 14 | + |
| 15 | +A sample of how the project would look like is already here: |
| 16 | + |
| 17 | +https://github.com/runcom/go-selinux |
| 18 | + |
| 19 | +### Initial Maintainers |
| 20 | +Initial maintainers of the go-selinux project would be: |
| 21 | + |
| 22 | +* Antonio Murdaca <[email protected]> ( @runcom) |
| 23 | +* Daniel J Walsh <[email protected]> ( @rhatdan) |
| 24 | +* Mrunal Patel <[email protected]> ( @mrunalp) |
| 25 | +* Stephen Smalley <[email protected]> ( @stephensmalley) |
| 26 | + |
| 27 | +### Code of Conduct |
| 28 | +This project would incorporate (by reference) the OCI Code of Conduct. |
| 29 | + |
| 30 | +### Governance and Releases |
| 31 | +This project would incorporate the Governance and Releases processes from the OCI project template: https://github.com/opencontainers/project-template. |
| 32 | + |
| 33 | +### Project Communications |
| 34 | +The proposed project would continue to use existing channels in use by the OCI developer community for communication including: |
| 35 | +* GitHub for issues and pull requests |
| 36 | +* The [email protected] email list |
| 37 | +* The weekly OCI developer community conference call |
| 38 | +* The #OpenContainers IRC channel |
| 39 | + |
| 40 | +### Versioning / Roadmap |
| 41 | +We will probably minimize the releases of this project. |
| 42 | + |
| 43 | +## Frequently Asked Questions (FAQ) |
| 44 | +Q: Does this change the OCI Charter or Scope Table? |
| 45 | +A: No. Nothing in this proposal is intended to amend the [OCI Charter](https://www.opencontainers.org/about/governance) or [OCI Scope Table](https://www.opencontainers.org/about/oci-scope-table). |
| 46 | + |
| 47 | +*Q: Why move this out of the runc project?* |
| 48 | + |
| 49 | +A: To be able to reuse this in different container projects as well as have dedicated maintainers for the SELinux library. Getting more exposure and others to use it would probably lead to completing lots of features that are missing from the libcontainer/selinux bindings. There are lots of bindings in libselinux that do not have native bindings yet. Getting other projects to use SELinux bindings would also lead to potential improvements in the bindings. |
| 50 | + |
| 51 | +*Q: Why is versioning this package with runc insufficient today? What issues have been encountered?* |
| 52 | + |
| 53 | +A: There's no versioning of selinux in run. For instance, we fixed something in selinux in runc because CRI-O needed it but at the same time we broke docker which was relying on it. Having fixed versions for selinux wouldn't have led to this issue since docker could have stuck to a previous version and carefully test the new version w/o pulling new changes as part of a libcontainer library bump. |
| 54 | + |
| 55 | +*Q: Who are the other target users of go-selinux?* |
| 56 | + |
| 57 | +A: docker, rkt, CRI-O, kubernetes, any other project out there requiring a dedicated selinux library. |
0 commit comments