but it feels incorrect on CoreOS where things should be immutable.
Has anyone tried to use Udica generated policies (or SELinux policies in general) on CoreOS?
(also I see a related issue with 45 comments. I only read the last one (…) which brings a solution : building a rpm to install the policies. But it feels a bit overkill for my usecase).
Thanks! I’ve ended up going this route and writing a small rpm that runs semodule -i in a %post section. Is bundled as well a nftables ruleset so that traffic can be marked as “internet” or “intranet” (or left unlabeled), which can be further allowed in the SELinux policy with (allow process intranet_packet_t ( packet ( send recv )))
In the end the systemd service is written like this: