On Thu, May 7, 2020 at 10:49 AM Russell Coker <russell@xxxxxxxxxxxx> wrote: > > On Thursday, 7 May 2020 6:35:11 PM AEST Laurent Bigonville wrote: > > If people are using preseed installations (kickstart equivalent), I > > think that enabling SELinux in the installer shouldn't be too difficult > > (installing the needed packages, modifying the files and relabeling with > > fixfiles). It's obviously not user friendly, but the question is what's > > the target here. > > If we want to do that properly then I guess we want SE Linux enabled in the > kernel that the installer uses and then have the policy installed early in the > installation so the files can have the correct labels from the start instead of > having a relabel process afterwards. That would be good but might be overreach for Debian since SELinux is not the default there. It isn't strictly necessary; ever since we went to using extended attributes for file labels, you can set them on a non-SELinux-enabled kernel, so the installer can always set them even if its kernel doesn't enable SELinux. Optimally they would be set by the package manager based on file_contexts; that is what rpm does in Fedora/RHEL. Or you can always run setfiles after package installation but before rebooting into the SELinux-enabled kernel. You don't need to defer labeling until you have SELinux enabled.
