Basic SELinux support

I’ve spent a bit of time messing around with getting incus to run with SELinux in enforcing mode.

The good news is that doing audit2allow isn’t necessary. Instead we can ride the coattails of the container_*_t type contexts.

The following file contexts seem to be working on my system:

/usr/s?bin/incus  --      gen_context(system_u:object_r:container_runtime_exec_t:s0)
/usr/s?bin/incus-.*  --      gen_context(system_u:object_r:container_runtime_exec_t:s0)
/usr/lib/incus/.*  --      gen_context(system_u:object_r:container_runtime_exec_t:s0)
/usr/lib/systemd/system/incus.* --	gen_context(system_u:object_r:container_unit_file_t:s0)
/var/lib/incus(/.*)?      gen_context(system_u:object_r:container_var_lib_t:s0)
/var/log/incus(/.*)?      gen_context(system_u:object_r:container_log_t:s0)

You can set these with various semanage fcontext -a -t …

Then just do a restorecon on each of them.

Note, these have not been tested significantly. But they do seem to work with containers.

1 Like

Also seems to work fine with VMs.