On Sat, Apr 10, 2021 at 8:51 AM Thorsten Kukuk kukuk@suse.de wrote:
On Sat, Apr 10, Attila Pinter wrote:
I'm very happy to see work going into this. SELinux would improve a lot on security especially when it comes to containerization. It is crazy simple to break out of a Podman container if it is secured by AppArmor. Granted, writing the policies is time consuming and the transition might not be the easiest, but well worth it on the long run not to mention that we could probably take policies from Fedora as well.
The base of our selinux policy is the Fedora one. But there are too many differences in the setup of the system, and all of them needs adjustements of the policy.
The reason that MicroOS is SELinux by default is because I had "accidentally" been running MicroOS and MicroOS Desktop for *weeks* with SELinux in enforcing mode with everything working, so Richard and I decided it worked enough to switch over. :)
Regular Tumbleweed is in my sights to try SELinux on in enforcing mode. ;)