Something like SELinux would let you make any distro just as immutable as any of those distros in the list, to a finer level of granularity, and without having to use a specialized distro.
People that want an entirely containerized distro probably don't want to maintain a bunch of SELinux rules or deal with the inevitable breakages that occur due to old/poorly designed software that is needed for one reason or another. It's entirely opposite of the goal of making everything a drop-in no-maintenance package.
Sure, and on any distro you can "sudo mount -o remount,ro /" and also have a useless distro, just like using selinux to make the whole thing immutable.
The difference is you won't have to spent 2 years learning a custom policy language.
> also have a useless distro, just like using selinux to make the whole thing immutable.
Absolute nonsense.
> The difference is you won't have to spent 2 years learning a custom policy language.
If you had bothered to spend maybe 2 months bothering to learn this tech that's been around for almost 20 years, you wouldn't have to use specialty distros to accomplish what your distro can already do natively.
I've never been a fan of willful ignorance and fearmongering, and I see a lot of that when it comes to SELinux.
If your goal is a usable immutable distro, selinux is the wrong tool. It just doesn't operate at the layer of creating a linux distro, or declaring what containers are running, or declaring a list of flatpak apps, or whatever.
My point, by comparing selinux to "mount" and calling them equally useless, was not that they are not useful tools in their niches.
My point was that they are useless if your goal is to build a usable immutable distro.
SELinux is a hammer that cannot be used to turn a default debian installation into a usable immutable linux distro. The initial claim of "using SELinux rather than a dedicated distro can work" was nonsense, so of course the thread of replies off this is nonsense. GIGO as they say.
It could certainly be a lot nicer and more straightforward (and there are competing solutions that are), but people vastly exaggerate the difficulty of learning it, and dismiss the advantages that come from having it properly configured.
How? How do you get immutability from SELinux policies (specifically without crafting detailed policies for everything running in the entire userland--at which point you're just begging for a distro, right?)?
Honestly, if you really want something immutable and distro-agnostic, you probably want something like btrfs snapshots; however, converting the root filesystem to btrfs is probably a pain, and there will be some initial configuration to prepare some cloud-init, ignition, etc before you take your initial snapshot and you'll also probably want to configure some "boot from snapshot" type functionality, at which point it would be pretty nice to have all of this packaged up in a distro so each user doesn't have to figure all of that out every time.
SELinux isn't about immutability, it's about program confinement. Running each daemon in its own fs/user/net namespace comes a lot closer to mimicking the value of SELinux than making the OS immutable.
