> > On Thu, May 7, 2020 at 10:49 AM Russell Coker <russell@xxxxxxxxxxxx> wrote: > > > > On Thursday, 7 May 2020 6:35:11 PM AEST Laurent Bigonville wrote: > > > If people are using preseed installations (kickstart equivalent), I > > > think that enabling SELinux in the installer shouldn't be too difficult > > > (installing the needed packages, modifying the files and relabeling with > > > fixfiles). It's obviously not user friendly, but the question is what's > > > the target here. > > > > If we want to do that properly then I guess we want SE Linux enabled in the > > kernel that the installer uses and then have the policy installed early in the > > installation so the files can have the correct labels from the start instead of > > having a relabel process afterwards. > > That would be good but might be overreach for Debian since SELinux is > not the default there. It isn't strictly necessary; ever since we > went to using extended attributes for file labels, you can set them on > a non-SELinux-enabled kernel, so the installer can always set them > even if its kernel doesn't enable SELinux. Optimally they would be > set by the package manager based on file_contexts; that is what rpm > does in Fedora/RHEL. Or you can always run setfiles after package > installation but before rebooting into the SELinux-enabled kernel. > You don't need to defer labeling until you have SELinux enabled. On Thu, May 7, 2020 at 9:54 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: I found this: - https://man.sr.ht/builds.sr.ht/compatibility.md It seems to have Fedora-30,31 and rawhide. It seems to be free as well (for now) I would be a little leary using it, seems new, its only in alpha, and looks like it could disappear at any moment. The travis ubuntu to fedora VM might be heavy, but it would at least provide us with something stable... for awhile or we look at getting some better infrastructure support for running a CI job on.
