Custom SELinux policy module in bootc container

[stephan-tolksdorf]

Hi,

What’s the proper way to enable a custom SELinux policy module in a (Fedora) bootc container image and then have it active in the installed system?

I’m doing checkmodule, semodule_package and then semodule -i. Afterwards the module is in /etc/selinux/targeted/active/modules/400. However, after the installation of the system from the image, the policy is not active or present in/etc/selinux/targeted/active/modules/400.

[stephan-tolksdorf]

At least without a transient /etc, simply configuring everything in the container actually works as expected. A bug in my build pipeline may have tripped me up.