Hi,
I am currently trying to create a minimal fedora template with selinux.
First, i install some packages:
sudo dnf install selinux-policy selinux-policy-targeted policycoreutils policycoreutils-python-utils
change this file: sudo nano /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted
& then i restarted the template. But when running
sestatus
then it still shows that it is still disabled.
What did I do wrong?
you would need to have same packages you have installed (preferably apply this to a new minimal fedora template) but then relabel the file system first then set selinux to enforce as the last step only , here is how to do it 
:
NOTE: switch back the mode to permissive temporarily from /etc/selinux/config
then reboot the template ( reboot could be not needed yet) .
sudo touch /.autorelabel
sudo reboot
qvm-prefs vmname kernelopts "swiotlb=2048 security=selinux"
additionally increase maximum startup timeout so that relabeling file system will have sufficient time (it was under 1 minute in my case so 600 seconds is more than enough) :
qvm-prefs vmname qrexec_timeout 600
then start the fedora template and check the relabeling progress -if needed- from qubes manager > open console in qube (option is greyed out until vm starts)
template may restart on its own when relabel completes! if it does then run it again.
run sestatus it should say enabled, try setting it to enforce finally
sudo setenforce 1
SELINUX=enforcing
Oh I forgot to emphasize that you would need to replace vmname In the commands I mentioned with the name of your minimal fedora template’s name of course