That means I need features like iptables, displaying the government computer warning message, preserved logs. and SELinux.

System parameters: busybox init, GUI via nodm and openbox, ext4 file system, bootloader varies with both grub and syslinux (extlinux), sshd

I've found a few issues and fixed them with the help of audit2allow and made a custom policy and loaded it to address some of the issues.  I think there are some mislabels and confusion since the /var/run folder is on a tmpfs (I tried to set a context in the fstab but that broke it worse).

On boot up, the auditd which helps so much with debugging SELinux can't even run because it can't obtain permissions for its log files and .pid file.  But after boot up, I can manually start it.  It might be because restorecond runs AFTER auditd in the init order.  I also lose out on acpid which starts earlier and it can't open it's socket (/run/acpid.socket).  Lack of early logging means I don't have enough info to add to the policy.  I've also tried to tweak /etc/selinux/restorecond.conf and move its init script to earlier in the start up.

The system doesn't recognize /.autorelabel  and is also missing semanage (python script not built, python hooks to libsemanage are needed even if it was, they were deprecated in 2015)

Lastly, I can't log in via ssh as user as it can't determine my user's default context.  Googling the error shows some results, many are decades old.  I tried adding to the policy's local.users file but that didn't help.

I have root ssh logins working via public keys. I enabled the relevant boolean and sshd_config values.

I wanted to see ask if anyone was actively using SELinux and was hoping you could share some of your knowledge, tweaks, policies, and other hints.  I'm especially interested in getting the labels correct on the image before first boot.

Thanks,

Jonathan