TL;DR - About switching from Linux Mint to Qubes OS from among various other options that try to provide security out-of-the-box (also discussed: OpenBSD, SculptOS, Ghaf, GrapheneOS)
TL;DR - About switching from Linux Mint to Qubes OS from among various other options that try to provide security out-of-the-box (also discussed: OpenBSD, SculptOS, Ghaf, GrapheneOS)
Setting the label is the mutation
And it’s only necessary because Nix doesn’t include it. Which is the only way anything is allowed to run on an SELinux system. SELinux doesn’t require Nix mutation, it requires Nix to be complete.
There are workarounds to fix Nix’s incomplete definitions, but most end users opt for the easy post-install solution that ends up mutating thier store rather than including the fix as a unique derivation for every package to add the missing SElinux labels and policy.
Which is what I was talking about when I said immutable systems need a first party solution. Meaning the system itself needs to implement it, you can’t bolt it on with packages or services