Feature Request: SELinux MultiLevelSecurity (MLS) support

[FruityWelsh]

Is your feature request related to a problem? Please describe. I tried implementing SELinux MLS on my system following the guide for rhel 9 as a reference, but expected issues occur on step 4: fixfiles -F onboot because the file system is readonly on boot. Describe the solution you'd like What would be ideal in my mind would be for there to be a check added if more than one selinux-policy (i.e. selinux-policy-mls and selinux-policy-targeted) package is installed, then a different layer should be made for each. When /etc/selinux/config is edited to changed to a new SELINUXTYPE then on boot the correct policy layer is chosen.

Describe alternatives you've considered Other options would be to have SELinux config "SELINUXTYPE" be ignored and have policy package types conflict. Meaning, an installation of a new one would remove the old and set the files' context to match the installed package.

[travier]

Labels for files in /usr are set at compose time by rpm-ostree.

It's unlikely that you need to relabel everything in /usr to switch to MLS.

Combining MLS and desktop environments is completely untested.

[FruityWelsh]

Labels for files in /usr are set at compose time by rpm-ostree. It's unlikely that you need to relabel everything in /usr to switch to MLS.

So would relabling to support mls best be done here? What mechanism does that in ostree if I wanted to devl deeper there?

Combining MLS and desktop environments is completely untested.

I might just test this on a non ostree system real quick then to make sure the issues I've had on my kinoite system aren't unique to it then (flashing screen and input unavailable during flashing, I will grab logs for it next chance I can since I now know it's untested).

[travier]

You would have to build your own variant with the target policy removed and the MLS one added by default.