Took longer than wanted due to missing time for this, but here is a
first instruction how to install and enable SELinux on MicroOS (pure
MicroOS, no container host or other system roles yet):
1. Boot with "security=selinux selinux=1"
2. Add "security=selinux selinux=1 enforcing=0" to GRUB_CMDLINE_LINUX_DEFAULT in
3. zypper ar -f
2. transactional-update shell grub.cfg pkg install selinux-policy-targeted selinux-tools
- Edit /etc/selinux/config:
- > load_policy
- > restorecon -R -e /.snapshots -e /var /
- systemctl enable restorecond
4. restorecon -R -e /.snapshots -e /var/lib/overlay /
In theory, you could now reboot with "enforcing=1", but there
seems to be a dependency bug somewhere. dbus will not start.
No idea why, on Tumbleweed with the same policy it works fine.
So I assume a race condition, tumbleweed starts much more and
needs longer to boot.
Many more open things, maybe somebody knows an answer?
1. How to label .snapshot, /home, /srv, /var, /usr/local in transactional-update shell?
2. cleanup dependencies and packaging, what is really required?
3. /var/lib/selinux and transactional-update
4. Relabel of /tmp during boot (because of tmpfs)
5. Relabel of /run during boot (/run/agetty.reload)
6. Relabel of /sys/kernel/uevent_helper during boot
7. restorecond? RedHat does not install it.
Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg)
To unsubscribe, e-mail: opensuse-kubic+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kubic+owner(a)opensuse.org