Is anybody currently working on adding Mandatory Access Control to Tails?
Any strong opinions regarding possible solutions?
See
https://tails.boum.org/todo/Mandatory_Access_Control/
I would suggest to start with SELinux in "permissive" mode and
incrementally adapt the policy so that in a later stage - when no
"access denied" warnings occur while using Tails - "enforcing" mode can
be switched on.
The main effect of that change probably would be on the build process
because the initial file labeling takes some time and requires a reboot.
I have some experience with SELinux and Debian unstable which might
help, but installing the relevant SELinux packages and enabling
permissive mode is quite straightforward (at least in Debian unstable ;-).
Cheers,
Andreas