I install the selinux testing tools in the container. The images in GNOME boxes. But since user_t policy doesn’t allow sudo or su, you need to use an admin account to check the AVC’s. Switching back and forth sucks, though I haven’t tried to ssh into the admin account yet.
2 Likes
I saw you triggered me, but at the moment, I cannot invest much time here. I just roughly skimmed the end of the topic, but in case that question is still open & relevant:
By default, user_u, staff_u and sysadm_u should work, whereas it is necessary to enable the x boolean in sysadm_u if you want to log into a GUI (GNOME, KDE, and so on).
Generally, at the moment, all should log in to the respective Desktop (although I didn’t do a test with GNOME for some time). But issues might occur once you are logged in: maybe some buttons don’t work, maybe some bluetooth devices cannot be added or connected, or applications break, or camera does not work in browser. Things like that. This is what we have to work on. But much has already improved in the recent time.
At the moment (state as of F40), as far as it concerns the use with GUIs, I test only KDE, sometimes with user_u and mostly sysadm_u: I generally have the problem that the camera is not usable with all confinements (including sysadm_u) (tested within Firefox, with MS Teams and Zoom), and I cannot add bluetooth devices, whereas I can use some of them if added without confinement (about buetooth, e.g., mouse works in confinement once added, speaker not → issue with audio-related policy I guess, and unlike the mouse, this is not just input to the system but also output). There is also a minor issue with virt-manager, but I consider it more a virt-manager related issue rather than the need for adjusting policies (virt-manager cannot connect to virtual monitors, but cockpit can, the way they connect differs).
There are further issues with user_u/staff_u. I currently have a main user that is assigned a confined profile explicitly (user_u or sysadm_u), whereas my __default__ ist set to user_u. This, e.g., confines the user in cockpit but also all other users that are (with or without real user) active on the system.
But feel free to open a dedicated topic with our tags if you currently experience something completely different, and provide data about it (you can see in the below repo’s tickets and also in bugzilla reports what type of information is necessary).
All of that is documented in the github repo of selinux-policy. If you experience something, you might check there if your issues are already known & if possibilities exist to mitigate. Also relevant is the bugzilla of the component , although I think at the moment this is more a minor point for the SIG (might change over time).
I hope I am not too offtopic, but as I was triggered and read that you are up to some awesome thoughts and tests, I felt to post something 
I keep watching and try to follow the topic 