I did some testing to play around with the idea of baking SELinux policy installation into a squashfs image. @numinit had this idea as well. From this testing, it seems very much to be possible. It’s not a major point of concern, the store really is where my concerns are at. However, both are a solvable problem now.
4 Likes
Hey, @RossComputerGuy how did you solve the problem of preventing writes to the overlay? I assume you’d have to unmount the selinux overlay, and re mount it after the writes to the nix store.
I was trying to solve this problem also by using an overlayfs with metacopy=on and tagging each of the files on the overlay with trusted.overlay.metacopy. I know the nix daemon sees a different mount namespace (so it wouldn’t see the upper layer), but if the lower layer is changed while this is mounted, is that undefined behavior?