Managing SELinux in Fedora CoreOS

I’ve found some github issues saying that managing SELinux policies in FCOS is not that easy and in some cases even impossible. Is this really a thing? Are SELinux policies are meant to be immutable in FCOS?

There is no difference regarding what you can or can not do with SELinux on Fedora CoreOS compared to classic package-based Fedora. You can load your own SELinux modules on Fedora CoreOS.

The main difference is that we don’t include SELinux tools (semanage, etc.) by default in the image as they rely on Python.

You can however create and compile your modules in a (toolbox) container and then install them on the host without issues. Or use CIL modules to skip the compilation step.

Example CIL module: CIFS DFS Mounts Failing on F38 due to SELinux denials · Issue #1447 · coreos/fedora-coreos-tracker · GitHub

1 Like

An alternative way to temporarily get semanage on your system without installing it permanently is to use a systemd system-extension (sysext).

I’ve pushed an example for semanage in GitHub - travier/fedora-sysexts: Example sysexts for Fedora image based systems.