Some more tips:
Selinux boot parameters (search term: CONFIG_DEFAULT_SECURITY_SELINUX (I.E. the one selinux kernel config that is not set)), might be “selinux=1 security=selinux”
Also, it looks like boot parameters are managed with qvm-prefs, so for example:
qvm-prefs {qubename} kernelopts
would show you the current kernelopts. let’s say it said it’s currently using the kernel options “nopat”. Then:
qvm-prefs {qubename} kernelopts "nopat selinux=1 security=selinux"
might be all you need.
Np. I’m rooting for you.
SELinux is neat for several reasons, one being that it can reduce attack surface. For example, SELinux is run on all modern android systems, and is used to remove permission to call any calls that are only there for backwards compatibility with old libraries and you already know your libraries are new enough that they no longer use them.
Also SELinux supposedly can be used for labeling the security category of data. A discussion about trying to decide & label the security category of a entire qube is here: Picking a system for selecting colors/security labels for qubes . It might be neat if someday the selinux security category (I.E. security label) of individual files could be automatically coordinated with the qube security category somehow.
Come back tell us how it goes after you try it out. I’d be very interested to hear your results.