Closed FruityWelsh closed 1 month ago
travier
commented
1 year ago Labels for files in /usr are set at compose time by rpm-ostree.
It's unlikely that you need to relabel everything in /usr to switch to MLS.
Combining MLS and desktop environments is completely untested.
FruityWelsh
commented
1 year ago Labels for files in
/usrare set at compose time by rpm-ostree. It's unlikely that you need to relabel everything in/usrto switch to MLS.
So would relabling to support mls best be done here? What mechanism does that in ostree if I wanted to devl deeper there?
Combining MLS and desktop environments is completely untested.
I might just test this on a non ostree system real quick then to make sure the issues I've had on my kinoite system aren't unique to it then (flashing screen and input unavailable during flashing, I will grab logs for it next chance I can since I now know it's untested).
travier
commented
1 year ago You would have to build your own variant with the target policy removed and the MLS one added by default.
travier
commented
1 month ago Closing as this is unlikely to be a Silverblue only effort and it would have to happen at the more global Fedora level, likely with discussions with Fedora Workstation.
Is your feature request related to a problem? Please describe. I tried implementing SELinux MLS on my system following the guide for rhel 9 as a reference, but expected issues occur on step 4:
fixfiles -F onbootbecause the file system is readonly on boot. Describe the solution you'd like What would be ideal in my mind would be for there to be a check added if more than oneselinux-policy(i.e.selinux-policy-mlsandselinux-policy-targeted) package is installed, then a different layer should be made for each. When/etc/selinux/configis edited to changed to a newSELINUXTYPEthen on boot the correct policy layer is chosen.Describe alternatives you've considered Other options would be to have SELinux config "SELINUXTYPE" be ignored and have policy package types conflict. Meaning, an installation of a new one would remove the old and set the files' context to match the installed package.