> the challenges we have with SELinux in the Fedora build system.
Can you please explain specifically what the problem is?
One of the problems is that the result of a pungi compose that is performed
with SELinux enforcing, does not install SELinux enabled by default,
because [a chain of events] the DVD/CD does not contain the policy file,
partly because under enforcing you cannot create a virtualized /dev/null
that has the right context.
http://bugzilla.redhat.com/show_bug.cgi?id=343861
http://bugzilla.redhat.com/show_bug.cgi?id=343851
The workaround is "setenforce 0" during the pungi compose.
In general, it looks to me like SELinux itself cannot be virtualized.
[I really didn't expect it, but nevertheless I cannot find it.]
This means that any time you want to "fake it", then you must
turn off enforcing, or create a full virtualized OS instance
that has enforcing off.
--