While Garden Linux was running with SELinux all the time, Garden Linux finally supports running SELinux in enforcing mode. Within the last few weeks I made several adjustments to make sure we could switch from permissive mode to enforcing. By pushing the last commit, the gardenlinux-selinux-module gets reactivated in synergy with the patched refpolicy package within the Garden Linux build pipeline. All related packages are available on Garden Linux repositories, now.
Unluckily, I had many issues based on Debian’s Testing refpolicy package which was a show stopper for several services including casual bash usage after login or systemd-resolved start ups (see also bug #1012755). Unfortunately, further bug reports and texting resulted into no solutions. Even no direct solutions could be found on DebConf 2022 by getting in touch with some people directly. Thanks to chrinorse for getting in touch with other ones at DebConf 2022.
Therefore, I consider to switch to Fedora’s SELinux policy instead which seemed to fit our need perfectly. However, this step would meant further implications like patching, maintaining and integrating into Garden Linux, which we would highly avoid.
Just by finishing everything, refpolicy 2:2.20220520-2 got pushed and migrated to Debian Testing. Giving a try on the new package, many issues were finally solved. However, some rules (mostly Garden Linux related) had to be added as well and will be delivered as a dedicated and only Garden Linux related package called gardenlinux-selinux-module. Beside this, we still had to patch refpolicy which is also part of the Garden Linux repository, now.