Hi, Took longer than wanted due to missing time for this, but here is a first instruction how to install and enable SELinux on MicroOS (pure MicroOS, no container host or other system roles yet): MicroOS: 1. Boot with "security=selinux selinux=1" 2. Add "security=selinux selinux=1 enforcing=0" to GRUB_CMDLINE_LINUX_DEFAULT in /etc/defalt/grub 3. zypper ar -f https://download.opensuse.org/repositories/security:/SELinux/openSUSE_Factor... selinux 2. transactional-update shell grub.cfg pkg install selinux-policy-targeted selinux-tools restorecond - Edit /etc/selinux/config: SELINUX=permissive SELINUXTYPE=minimum - > load_policy - > restorecon -R -e /.snapshots -e /var / - systemctl enable restorecond - exit 3. reboot 4. restorecon -R -e /.snapshots -e /var/lib/overlay / In theory, you could now reboot with "enforcing=1", but there seems to be a dependency bug somewhere. dbus will not start. No idea why, on Tumbleweed with the same policy it works fine. So I assume a race condition, tumbleweed starts much more and needs longer to boot. Many more open things, maybe somebody knows an answer? 1. How to label .snapshot, /home, /srv, /var, /usr/local in transactional-update shell? 2. cleanup dependencies and packaging, what is really required? 3. /var/lib/selinux and transactional-update 4. Relabel of /tmp during boot (because of tmpfs) 5. Relabel of /run during boot (/run/agetty.reload) 6. Relabel of /sys/kernel/uevent_helper during boot 7. restorecond? RedHat does not install it. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg) -- To unsubscribe, e-mail: opensuse-kubic+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kubic+owner@opensuse.org