First, some context. Inspired by works done by Universal Blue and related communities I decided to try bootc technology myself. I used blue-build.org to build my variant off the GitHub - ublue-os/main: OCI base images of Fedora with batteries included. I chose this variant as the base because it’s close what Fedora Silverblue is OOTB. The goal of having custom OS image is to make my installs look and feel same, to provide my settings and flatpak apps I normally install (to --user, not --system) after OS is installed. Among my use cases are - virt-manager to run Windows VM(s) for my consultancy work and to have systemd-homed managed user home for better privacy and security. With all the required technology in place there are few “holes” I’d like to help “plugging” it:
With necessary SELinux policies in place for systemd-homed, I still have to set SELinux contexts to systemd-homed executables under /usr/lib/systemd/manually. The /usr is read-only, thus sudo mount -o remount,rw /usr is necessary. This leaves /usr writable until next reboot, which is not good from security point of view.
Similar thing for /usr/bin/swtpm - I have to fix SELinux context manually. Again, making /usr writable. And yes, I read threads about swtpm in this forum and elsewhere - some of the fixes are on its way.
There are directories needed by both systemd-homed and swtpm and missing in the fresh install. Some require specific ownership of it. E.g., /var/lib/swtpm-localca needed by swtpm and it should be owned by tss group, without that directory it is impossible to create new VMs requiring TPM.
Couple of points to move out of the way:
Why virt-manager and not gnome-boxes flatpak? gnome-boxes flatpak has no USB forwarding which is blocker for me.
Just to make it clear - I want to help to fix this by testing, reporting, etc. I might be wrong, but to me it seams pretty easy to set proper SELinux contexts and create required directories OOTB. This would greatly improve UX.
Said that, I need you advice where to log bugs/feature requests to resolve issues mentioned above.
Could you point me to those workarounds, please ? Until this is solved properly, I’m like to make my workarounds of my “personal OS” less dangerous
Will do.
I really don’t mind to run couple of extra commands to get libvirt/virt-manager working in Silverblue until proper fixes/updates are in place But missing directories and SELinux contexts should be a low hanging fruit to deal with, IMHO.
I think we are ready with SELinux policies for systemd-homed. Tremendous work has been done by @richiedaze , he created SELinux policies and this guide to get it working in Fedora (including Atomic variants) - Building a new home with systemd-homed on fedora
So having his guide and SELinux policies one can create and use systemd-homed managed users. If SELinux policies were in place and PAM was updated with sysyemd-homed (e.g., via authselect) OOTB, users could just create homed-managed users with homectl.
It looks like the is some work planned in GUI area, but I don’t know details, thus might be wrong.
I’d say fixing SELinux contexts, adding missing directories and enabling systemd-homed in PAM config OOTB is the MVP for systemd-homedto become usable. Of course, GUI goodies, e.g., user creation/modifications via GNOME settings, are welcome too
I have been waiting since January for someone to have time to review this pull request, patience is a virtue . I am now trying to figure out the errors myself and see if I can fix them myself.
From what I can see from the pull request there are several problems.
Every time the policy gets built, my modifications don’t get added to the policy even though it clams to build successfully.
Could anyone share a tip or point to a solution on how to change/set SELinux context label of read-only file(s) without remounting whole file system/directory read-write ?
Internet search did not help. I guess I don’t know proper keywords for the search
Update of the issue with systemd-homed. As fixing SELinux contexts for systemd-homed did not work in Bluefin way (using bind mounts), I mounted /usr rw and fixed SELinux labels. Later, I assume after an update, systemd-homed executables and systemd services where re-labeled with default SELinux which rendered my homed-managed user unusable (pun intended ).
Because of this I must revert back to “stock” Silverblue until bootc gets proper SELinux labels for systemd-homed stuff and libvirt/virt-manager as well.
That’s pity as I liked bootc approach, but I also realize time is needed to get things fixed properly.