SELinux

[mudler]

No description provided.

[jmpolom]

What is the status of SELinux support with kairos built OS images? I have noticed (via the PRs mentioned here) it's explicitly disabled from the Fedora builds and getenforce reports disabled in the OpenSUSE Tumbleweed builds. I attempted to override the settings via kernel boot arguments in both, and both failed to boot (basically about what I expected). In the case of the Tumbleweed build, systemd halted the boot process when it couldn't load an SELinux policy.

This looks like a very interesting and useful project overall. However SELinux support is an important feature I look for in any distribution I'm considering using. It would be good to know what the barriers are to enabling SELinux when kairos is used to deploy OS images. For example: can I build a custom image with the necessary policy packages and enable SELinux post install? What breaks if I enable SELinux?

[jimmykarily]

Related story: #2107

[jmpolom]

@mudler Is selinux supported with kairos or not?

[jimmykarily]

@jmpolom selinux support is planned for 3.5.0: #111

That said, what you describe it what needs to happen. The right policies must be in place. Then selinux can probably be enabled and it should work. There is nothing inherent in Kairos that prevents selinux from working afaik.

If you make any progress on this and make it work, please share your results with us. Even if only for a specific distro, it will make the work for the rest of them a lot easier.