On Wed, May 6, 2020 at 4:03 PM Dac Override <dac.override@xxxxxxxxx> wrote: > I think one reboot should be enough but i don't see how you would do > it without rebooting at all. > By adding selinux=1 on the kernel boot line you effectively disable > apparmor (the apparmor service unit has a condition that disables when > selinux=1 i believe) > You dont need that selinux-activate script either. The pam config > should be set up out of the box. > all that remains it the kernel boot options and relabel AFAIK. The > boot options can be added without booting by editing /etc/default/grub > and running update-grub, but relabeling requires a reboot. > > Enabling SELinux is actually amazingly simple considering the circumstances. With installer support for SELinux, it should be possible to specify SELinux enablement as part of the original install and avoid the need for a separate step to modify any configurations, relabeling, or rebooting. Just like Fedora. That said, I don't know if such an installation option would be accessible via travis-ci configuration and thus still might not be possible to enable SELinux on a travis-ci instance unless using your own infrastructure.
