Warn of mkosi's sshd lacking support in distros' SElinux policy

author Laurence Kiln <246209442+LaurenceKiln@users.noreply.github.com>

Thu, 27 Nov 2025 19:20:38 +0000 (21:20 +0200)

committer Daan De Meyer <daan.j.demeyer@gmail.com>

Fri, 28 Nov 2025 18:02:28 +0000 (19:02 +0100)
author Laurence Kiln <246209442+LaurenceKiln@users.noreply.github.com>
Thu, 27 Nov 2025 19:20:38 +0000 (21:20 +0200)
committer Daan De Meyer <daan.j.demeyer@gmail.com>
Fri, 28 Nov 2025 18:02:28 +0000 (19:02 +0100)
diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md

index 166bdbf6d124f43332f44981114293df0b67059b..60644938de2f77c3b3182040890d9bfd14c88bf2 100644 (file)
--- a/mkosi/resources/man/mkosi.1.md
+++ b/mkosi/resources/man/mkosi.1.md
@@ -1251,6 +1251,11 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
      You still need openssh installed in the image, and the default setting of
      `--vsock=auto` is enough to ensure a VSock is available inside the VM.
  
+    Note: if the image distro uses SELinux, mkosi's sshd service will be denied
+    access to the VSock, resulting in failure to connect to it from the host.
+    You will need to either disable SELinux enforcement, or create a custom
+    policy module (e.g. with `audit2allow`).
+
  `SELinuxRelabel=`, `--selinux-relabel=`
  :   Specifies whether to relabel files to match the image's SELinux
      policy. Takes a boolean value or `auto`. Defaults to `auto`. If
author	Laurence Kiln <246209442+LaurenceKiln@users.noreply.github.com>
	Thu, 27 Nov 2025 19:20:38 +0000 (21:20 +0200)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Fri, 28 Nov 2025 18:02:28 +0000 (19:02 +0100)