From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BF06BC74A5B
	for <selinux-refpolicy@archiver.kernel.org>; Thu, 23 Mar 2023 15:11:45 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232004AbjCWPLp (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Thu, 23 Mar 2023 11:11:45 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53952 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232001AbjCWPLo (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 23 Mar 2023 11:11:44 -0400
X-Greylist: delayed 266 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Thu, 23 Mar 2023 08:10:53 PDT
Received: from markus.defensec.nl (markus.defensec.nl [IPv6:2a10:3781:2099::123])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C912628846
        for <selinux-refpolicy@vger.kernel.org>; Thu, 23 Mar 2023 08:10:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=defensec.nl;
        s=default; t=1679583969;
        bh=eydSjlVGkMTtQsVcxKAnqsEMB9MKsDETXFlHn8gJzxQ=;
        h=From:To:Subject:Reply-To:Date:From;
        b=itZ0IS3edFK+MVKl+BA21tGKOX1jrMI5jjIaDGaT5iIBBTTogEy925+AY9Dy7G+Qj
         g1b3lNYwWiBMDAsXi1FSR+DSiwf05r8IIxniHlswLKfl67s2hOn5kc5m2KMwuCVz5h
         OZoTV3uveLjeqrV5QZDq5aQQKeFDa4ANUFNZkOpg=
Received: from paulus (paulus.lan [IPv6:2a10:3781:2099::515])
        by markus.defensec.nl (Postfix) with ESMTPSA id D95FB3CC
        for <selinux-refpolicy@vger.kernel.org>; Thu, 23 Mar 2023 16:06:09 +0100 (CET)
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     selinux-refpolicy@vger.kernel.org
Subject: [refpolicy3 RFC] Split broad file contexts
Reply-To: d83ef10f-ae8b-08d2-55b7-66f2cf12ed9a@linux.microsoft.com
Date:   Thu, 23 Mar 2023 16:06:09 +0100
Message-ID: <87bkkjcxsu.fsf@defensec.nl>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org


I agree with Metthew.

In dssp5-debian I take this even further and I generally prefer to use
extend over optional where possible.

I only use optional if both module do not depend on eachother.

I do this for various reasons (aside from what Matthew mentioned)

* Keeps the output of semodule -vvv cleaner if you disable modules
* I try to avoid optional because of its limitations
* Keeps the policy and file_contexts cleaner/more efficient when you disable modules

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift