Chris PeBenito

I definitely hope for progress on this. I have a KVM system with mdadm raid -> luks -> lvm that I'd like to migrate to XCP-ng, though I don't need...

Need to decide if we should use task sid or a single common genfs label, like anon_inode. @stephensmalley @jwcart2 @pcmoore if you have thoughts

There is an issue where if process A does pidfd_open() on process B, the pidfs entries will have process A's context instead of process B's, which is undesirable. Not sure...

> I don't understand what that is supposed to mean? The pidfd entries are anonymous inodes. They don't have any process credentials attached to them? It might be my lack...

> Something additional to consider: how should the policy continue to cover `ssh` daemons which continue to have monolithic behavior (e.g. `dropbear` or older OpenSSH versions)? Put the permissions that...

1. This is the first time I've heard of dinit. Looking at the github info, it doesn't seem that any of refpolicy's distros support this. If that's the case, we...

@perfinion or @0xC0ncord can you try this out? I imagine binary distros wouldn't have a problem with (optionally) having setools during build, but as Gentoo is source...

Looks like we were working on the same thing simultaneously (see #833) but I'd prefer to have the complexity in the CI scripts rather than in the Makefile.

`/sys/fs/selinux/disable` isn't a good example, as it won't work if a SELinux policy is loaded. In fact, I'm surprised it exists once the policy is loaded (@pcmoore ?) `secadm_t` has...

> I did consider giving the `wayland_compositor` typeattribute manage files perms on `wayland_compositor_tmpfs_type`, but decided against this so that different running compositors can't "contaminate" each others tmpfs's I'm not familiar...