MicroOS - selinux correct configuration w/ combustion

linuxuser3134 · April 17, 2026, 3:31pm

Hello, I have been using Combustion to provision MicroOS from the selfinstall.iso and have the lines below added to my script inside my mounted combustion file. I assumed this would work so didn’t do a deep dive into the documentation, and it does appear to: after the first boot from Combustion, if I immediately restart, the autorelabel happens. I would then manually run transactional-update run rm /.autorelabel and reboot a second time. After this second reboot, sestatus shows the correct output (enforcing, targeted) and I proceed on my merry way.

However, I saw that in the official documentation they recommend putting .autorelabel inside /etc/selinux/ or (.autorelabel is unnecessary?) and just running transactional-update setup-selinux.

I started investigating my system more thoroughly after reading this documentation and found only two types of denial errors since December 2025…

16. 02/26/2026 17:48:58 bootctl system_u:system_r:snapper_sdbootutil_plugin_t:s0 0 dir rmdir system_u:object_r:dosfs_t:s0 denied 126
34. 04/17/2026 01:54:45 chattr system_u:system_r:snapper_sdbootutil_plugin_t:s0 0 capability linux_immutable system_u:system_r:snapper_sdbootutil_plugin_t:s0 denied 179

I’m wondering if this is a symptom of the way I’ve been setting up selinux.

Is the .autorelabel process even necessary when using combustion with the selfinstall.iso? What are the correct steps of configuring selinux from the selfinstall.iso?

The original selinux lines in my script…

echo ">>> STARTING SELINUX PROVISION..."
mkdir -p /etc/selinux
cat <<EOF > /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted
EOF

echo ">>> SCHEDULING FILESYSTEM RELABEL..."
touch /.autorelabel

I’m assuming i’d update this to the following and then run transactional-update setup-selinux. Is doing any of this necessary? Should i just be running transactional-update setup-selinux right after i boot and removing any combustion selinux configuration?

echo ">>> STARTING SELINUX PROVISION..."
mkdir -p /etc/selinux
cat <<EOF > /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted
EOF

echo ">>> SCHEDULING FILESYSTEM RELABEL..."
echo "-F" > /etc/selinux/.autorelabel

here is the link to documentation: Portal:MicroOS/SELinux - openSUSE Wiki

mhurron · April 17, 2026, 4:26pm

SELinux has been default on MicroOS for a while, I wouldn’t expect you need to do anything to get it in its default state.

Why do you think you need to do this second relabel?

linuxuser3134 · April 17, 2026, 7:08pm

I did this because when i did the self install with combustion without doing this it was not enabled.

mhurron · April 18, 2026, 8:20pm

Ok, just tested what’s going on. This is only true if you leave the system running at the first prompt. This is because the kernel command line when booting off the iso does not enable the selinux module. The installed system itself though is setup to enable it as documented.

If you immediately reboot when the system first comes up after running your combustion script, SELinux will be enabled and the file system will be relabelled.

Basically, don’t do any SELinux ‘setup’ stuff in your script, don’t touch .autorelabel, and reboot the system right after the first login.

linuxuser3134 · April 23, 2026, 1:24am

Okay, so I just need to reboot the system after combustion is finished and it will automatically be enabled? Don’t do anything otherwise?

mhurron · April 23, 2026, 1:32am

Ya, you need to boot off the installed kernel, not the iso.

linuxuser3134 · April 23, 2026, 3:05am

yeah, i just tested a deployment out and it looks like thats all that was needed. I dont know why i did all that .relabel stuff.

Thanks for the help!

system · April 30, 2026, 3:05am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.