I have dug around for quite a while and cannot find information on enabling selinux if I am booting using systemd-boot in Tumbleweed. I chose to use that instead of GRUB, and the typical GRUB instructions (which seem to be everywhere) do not work to enable selinux on boot in my case.
With all respect - if you chose to use experimental bootloader not fully supported by distribution tools you are expected to know how to find answers to such questions.
You can wait until yast2-bootloader 5.0.9+ hits the mirrors or you can read man kernel-install which explains where kernel options are stored. And you can also read man systemd-boot which explains how to edit kernel command line during boot. What to put on the kernel command line should be in those “typical GRUB instructions” because it does not change with bootloader.
Naturally, the GRUB instructions will not work for systemd-boot - it is, in fact, not GRUB.
While I’d probably advise you to reconsider using experimental bootloaders if you are unaware how they work - you’ll likely encounter other issues you cannot solve - the way to enable AppArmor or SElinux (choose one or the other, not both, btw) is essentially the same as on GRUB, only where you put the options changes.
On a default openSUSE install, systemd-boot stores its entries in /boot/efi/loader/entries/, if you are using BTRFS with snapshots, you will find an entry for each snapshot, find the one you are currently booting (the latest snapshot most likely - you can check with for example sudo snapper list).
Open that entry in your text editor of choice and look for the line starting with options, here is where you will append your kernel boot options: for SElinux, for instance, you’ll put security=selinux selinux=1 enforcing=1 for enforcing or enforcing=0 for permissive at the end of the string.
If, on the other hand, you don´t want to make any permanent changes, you can set the options temporarily during boot by pressing e while having your chosen entry selected.
Firstly, Thank you both for replying and trying to help! The answer that @icodrop posted is exactly what I was looking for. Before I had even posted, I had already read through the man files that @arvidjaar posted about and I had already tried using YaST to enable selinux on the bootloader. I don’t know exactly why that did not work, but doing it via nano in the terminal directly on the .conf files does work for me . I do appreciate you going out of your way to post screenshots though.
Secondly, I do want to quickly say that I was taken aback at first by the response saying that I should not ask questions if I choose to use a new feature of the openSuse OS such as the systemd-boot loader. I could not disagree more. In fact, choosing the systemd-boot bootloader is an easy drop-down option in the default installer and there is no warning anywhere that I shuold not use it, nor that is experimental. But even if it was, open source projects need users to test things and ask questions and find issues (such as the selected MAC system not loading when selected). I have been part of many open source projects and the biggest marker of success I have ever seen is when many users do try to the software in various ways and the community is supportive and builds useful forum posts like this one to help other users in the future. I am excited about the future of the openSuse project and I want it to succeed; so let’s work together to improve documentation and answer questions like this for current and future users. It’s certainly fair to suggest it might be wise for me to use GRUB in order to avoid future problems, and I appreciate that, but in this case, I am specifically doing this for fun and to experiment, and to help test things out for the project, so I am backing up my data and ready if something goes wrong.
Thank you both once again for taking the time to reach out and offer ideas.
I’m sorry if it came across that way, I certainly dont want to discourage you from asking questions - if you dont know something, how would you learn if you dont ask ?
It was just a disclaimer to make sure you knew what you were getting into.
Anyways a few things you should be aware of when using systemd-boot (at least they were true last i checked):
Systemd-boot does not update itself, when theres a systemd update you’ll have to update systemd-boot in the boot partition manually with sudo bootctl update or alternatively sudo systemctl enable systemd-boot-update.service which will do so for you on boot.
If you used the the default partitioning of the installer, the 500MB boot partition may or may not end up filled up depending on how many snapshots and kernels you keep - even if the kernel is uninstalled, systemd-boot will keep relevant files around so long as there is an entry that references that kernel. Should you run out of space you will have to delete the relevant entries and run sudo bootctl cleanup if it does not do so automatically.
You can delete the entries by deleting the snapshots with snapper who will then delete the entries for you through the sdbootutil-snapper plugin.
Since you are using SElinux, and i assume you are using the targeted policy, last i checked no relevant policy existed for sdbootutil and snapper, leading to the plugin failing to delete entries cause it doesnt have permission to do so.
You can check if this is still true by, while in enforcing, deleting a snapshot with snapper and then checking if the relevant entry in systemd-boot was deleted also and/or by checking /var/log/snapper.log for any relevant errors (or check the audit logs for AVC denials).
Should that still be the case (it may or may not have been fixed since) and you dont know how to use/write SElinux policies, open another thread and i’ll help you out.
Well, I have VM with MicroOS + systemd-boot + FDE (systemd-pcrlock) which has SELinux in enforcing mode by default and I have not seen any issues with sdbootutil or snapper.
What does not work - systemd socket to listen on VSOCK port 22 like in other VMs I use. But that is offtopic here