SELinux Application Whitelist

The Whitelist Policy is based on SELinux mechanism

Installation:
1. sudo add-apt-repository ppa:itri-icl-fteam/selinuxapplicationwhitelist
2. sudo add-apt-repository ppa:itri-icl-fteam/selinuxpackage
3. sudo apt-get update
4. sudo apt install attr selinuxpack-libsepol selinuxpack-libselinux selinuxpack-libsemanage selinuxpack-checkpolicy selinuxpack-dbus selinuxpack-gui selinuxpack-mcstrans selinuxpack-policycoreutils selinuxpack-python selinuxpack-sandbox selinuxpack-secilc selinuxpack-semodule-utils selinux-app-whitelist-policy selinux-configuration
5. sudo install_selinux.sh

After deployment, you may get snapd denied messages.
Use the script below to fix this issue.

#!/bin/bash
# $1 is the absolute path of snap image
# you should execute journalctl -b|grep -i "denied.*snapd.*dev", and get value from dev=,
# e.g. loop2
# Execute "losetup -l | grep loop2", and get snap image path,
# e.g. /var/lib/snapd/snaps/snapd_12057.snap

imagename=$(basename $1)
image_root="$HOME/squashfs-root"
relabel_image_out="$HOME/$imagename"

[ -d $image_root ] && rm -r $image_root
if [ -f $1 ]
then
        unsquashfs -d $image_root $1
        chcon -R -t whitelist_t $image_root
        mksquashfs $image_root $relabel_image_out
else
        echo "No such file: "$1
fi

Then, sudo mv ./snapd_12057.snap /var/lib/snapd/snaps/snapd_12057.snap