> > On Thu, May 7, 2020 at 11:02 AM William Roberts > <bill.c.roberts@xxxxxxxxx> wrote: > > > > > > > > On Thu, May 7, 2020 at 10:49 AM Russell Coker <russell@xxxxxxxxxxxx> wrote: > > > > > > > > On Thursday, 7 May 2020 6:35:11 PM AEST Laurent Bigonville wrote: > > > > > If people are using preseed installations (kickstart equivalent), I > > > > > think that enabling SELinux in the installer shouldn't be too difficult > > > > > (installing the needed packages, modifying the files and relabeling with > > > > > fixfiles). It's obviously not user friendly, but the question is what's > > > > > the target here. > > > > > > > > If we want to do that properly then I guess we want SE Linux enabled in the > > > > kernel that the installer uses and then have the policy installed early in the > > > > installation so the files can have the correct labels from the start instead of > > > > having a relabel process afterwards. > > > > > > That would be good but might be overreach for Debian since SELinux is > > > not the default there. It isn't strictly necessary; ever since we > > > went to using extended attributes for file labels, you can set them on > > > a non-SELinux-enabled kernel, so the installer can always set them > > > even if its kernel doesn't enable SELinux. Optimally they would be > > > set by the package manager based on file_contexts; that is what rpm > > > does in Fedora/RHEL. Or you can always run setfiles after package > > > installation but before rebooting into the SELinux-enabled kernel. > > > You don't need to defer labeling until you have SELinux enabled. > > > > On Thu, May 7, 2020 at 9:54 AM Stephen Smalley > > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > I found this: > > - https://man.sr.ht/builds.sr.ht/compatibility.md > > > > It seems to have Fedora-30,31 and rawhide. > > It seems to be free as well (for now) > > I would be a little leary using it, seems new, its only in alpha, > > and looks like it could disappear at any moment. > > > > The travis ubuntu to fedora VM might be heavy, but it would at least provide > > us with something stable... for awhile or we look at getting some > > better infrastructure support for running a CI job on. > > Fedora's own CI infrastructure seems like a better bet for the near > term wrt testing on Fedora; Petr appears to be already exploring using > it. I though the Fedora CI was limiting the amount of testing and triggering tests, no? Or is that why he is exploring it to see if we can get around them? > My goal here though is to improve the level of support outside of > just Fedora and its derivatives. Definitely a plus.