From: Laurence Kiln <246209442+LaurenceKiln@users.noreply.github.com>
Date: Thu, 27 Nov 2025 19:20:38 +0000 (+0200)
Subject: Warn of mkosi's sshd lacking support in distros' SElinux policy
X-Git-Tag: v26~47
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=79489534ca85e794dd15a006553af72039c253ff;p=thirdparty%2Fmkosi.git

Warn of mkosi's sshd lacking support in distros' SElinux policy
---

diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md
index 166bdbf6d..60644938d 100644
--- a/mkosi/resources/man/mkosi.1.md
+++ b/mkosi/resources/man/mkosi.1.md
@@ -1251,6 +1251,11 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
     You still need openssh installed in the image, and the default setting of
     `--vsock=auto` is enough to ensure a VSock is available inside the VM.
 
+    Note: if the image distro uses SELinux, mkosi's sshd service will be denied
+    access to the VSock, resulting in failure to connect to it from the host.
+    You will need to either disable SELinux enforcement, or create a custom
+    policy module (e.g. with `audit2allow`).
+
 `SELinuxRelabel=`, `--selinux-relabel=`
 :   Specifies whether to relabel files to match the image's SELinux
     policy. Takes a boolean value or `auto`. Defaults to `auto`. If