My customized ParticleOS configuration

             @@ -8,6 +8,5 @@     8      8mkosi.version     9      9.mkosi-private    10     10mkosi.packages/    11       keys/    12     11mkosi.profiles/custom/mkosi.extra/usr/local/bin/    13     12versions/

             @@ -2,9 +2,9 @@     2      2     3      3[ParticleOS](https://github.com/systemd/particleos) is an extremely cool     4      4meta-distribution from the systemd project. It's my favorite thing in software     5       since I discovered IPv6. Concretely, it's a configuration for systemd's     6       [`mkosi` tool](https://mkosi.systemd.io/) that you use to build your own     7       ParticleOS images. As described in the readme:            5since getting into IPv6. Concretely, it's a configuration for systemd's [`mkosi`            6tool](https://mkosi.systemd.io/) that you use to build your own ParticleOS            7images. As described in the readme:     8      8     9      9> ParticleOS is a fully customizable immutable distribution implementing the    10     10concepts described in [Fitting Everything             @@ -16,15 +16,14 @@    16     16  - A/B partitions for worry-free upgrades and rollbacks    17     17  - Block-level integrity provided by    18     18    [dm-verity](https://wiki.archlinux.org/title/Dm-verity)    19         - Authenticity provided by a signature on the dm-verity data, done with    20           your own keys           19  - Authenticity provided by a signature on the dm-verity data, with signing           20    done by your own keys    21     21- Is easily hacked on, just like traditional mutable OSes    22     22  - Essentially *is* a traditional OS (one of Arch, Debian, or Fedora), built    23           fully from regular distro packages    24         - Hacking on `/usr` is done at image build-time, rather than during OS    25           runtime           23    from regular distro packages           24  - Hacking on `/usr` is done at image build-time, rather than during OS runtime    26     25- Is signed with your own SecureBoot keys    27       - LUKS-encrypted root partition with TPM-stored key for automatic unlocking           26- LUKS-encrypted root partition with TPM-bound key for automatic unlocking    28     27- LUKS-encrypted home directory managed by    29     28  [`systemd-homed`](https://systemd.io/HOME_DIRECTORY/)    30     29             @@ -31,6 +30,9 @@    31     30This here is my own customized version/soft fork of ParticleOS. It's the Fedora    32     31variant.    33     32           33See [here](https://www.cgl.sh/blog/posts/particleos.html) for my blog post on           34ParticleOS and mkosi.           35    34     36## Notable files/directories    35     37    36     38- [makefile](makefile)—contains most important commands. `build` and

             @@ -10,6 +10,8 @@    10     10Packages=    11     11        bash-color-prompt    12     12        bpftool           13        # cryptsetup luksAddKey --token-type systemd-tpm2 /dev/<device> fails           14        # for me otherwise    13     15        cracklib-dicts    14     16        cryptsetup    15     17        distribution-gpg-keys

             @@ -1,4 +1,5 @@     1      1[Content]            2Hostname=     2      3Packages=     3      4        # keyrings for building other distro images     4      5        archlinux-keyring             @@ -94,6 +95,7 @@    94     95        osc    95     96        # needed for bell fish function    96     97        ocean-sound-theme           98        oxygen-sounds    97     99        pre-commit    98    100        python3-neovim    99    101        nmap             @@ -124,7 +126,6 @@   124    126        sqlite   125    127        stgit   126    128        tcpdump   127               # not yet available for fedora 43   128    129        terraform-ls   129    130        tmux   130    131        toolbox             @@ -141,7 +142,6 @@   141    142        wireshark   142    143        yubikey-manager   143    144        gnupg2-scdaemon   144               kernel   145    145        # repository directory comes from mkosi.packages   146    146        repository/opensnitch_ui.rpm   147    147        repository/opensnitch.rpm

             @@ -0,0 +1,2 @@            1SELINUX=permissive            2SELINUXTYPE=targeted

             @@ -0,0 +1,60 @@            1# Authors: Jason Tang <jtang@tresys.com>            2#            3# Copyright (C) 2004-2005 Tresys Technology, LLC            4#            5#  This library is free software; you can redistribute it and/or            6#  modify it under the terms of the GNU Lesser General Public            7#  License as published by the Free Software Foundation; either            8#  version 2.1 of the License, or (at your option) any later version.            9#           10#  This library is distributed in the hope that it will be useful,           11#  but WITHOUT ANY WARRANTY; without even the implied warranty of           12#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU           13#  Lesser General Public License for more details.           14#           15#  You should have received a copy of the GNU Lesser General Public           16#  License along with this library; if not, write to the Free Software           17#  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA           18#           19# Specify how libsemanage will interact with a SELinux policy manager.           20# The four options are:           21#           22#  "source"     - libsemanage manipulates a source SELinux policy           23#  "direct"     - libsemanage will write directly to a module store.           24#  /foo/bar     - Write by way of a policy management server, whose           25#                 named socket is at /foo/bar.  The path must begin           26#                 with a '/'.           27#  foo.com:4242 - Establish a TCP connection to a remote policy           28#                 management server at foo.com.  If there is a colon           29#                 then the remainder is interpreted as a port number;           30#                 otherwise default to port 4242.           31module-store = direct           32           33# When generating the final linked and expanded policy, by default           34# semanage will set the policy version to POLICYDB_VERSION_MAX, as           35# given in <sepol/policydb.h>.  Change this setting if a different           36# version is necessary.           37#policy-version = 19           38           39# expand-check check neverallow rules when executing all semanage           40# commands. There might be a penalty in execution time if this           41# option is enabled.           42expand-check=0           43           44# usepasswd check tells semanage to scan all pass word records for home directories           45# and setup the labeling correctly. If this is turned off, SELinux will label only /home           46# and home directories of users with SELinux login mappings defined, see           47# semanage login -l for the list of such users.           48# If you want to use a different home directory, you will need to use semanage fcontext command.           49# For example, if you had home dirs in /althome directory you would have to execute           50# semanage fcontext -a -e /home /althome           51usepasswd=False           52bzip-small=true           53bzip-blocksize=5           54ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var           55optimize-policy=true           56           57[sefcontext_compile]           58path = /usr/sbin/sefcontext_compile           59args = -r $@           60[end]

             @@ -0,0 +1,3 @@            1L? /etc/selinux/targeted            2C /etc/selinux/config          -    -    -     -   /usr/share/factory/etc/selinux/config            3C /etc/selinux/semanage.conf   -    -    -     -   /usr/share/factory/etc/selinux/semanage.conf