SELinux/portage

Domains
The portage module provides the following domains:

File types/labels
The following table lists the file type/labels defined in the portage module:

Other types
Besides the files and domains, the following types are also defined in the portage module:

File locations
The policy offered only contains the right file context rules for the default locations. If you deviate from these locations, you'll need to update the contexts accordingly.

The following table provides an overview of the Portage settings (variables in make.conf) that are commonly changed by end users, and the file context that it should have.

If you use different locations, use the following commands to update the file contexts accordingly (example to use /var/repo/portage for the portage tree instead of /usr/portage):

Don't forget that Portage uses subdirectories with different labels (think distfiles or the repositories for the live ebuilds) so take care when relabelling locations!

If you are using different mounts, you might need to use the rootcontext= mount option to set the initial context. If the file system does not suppor SELinux contexts (like NFS), you can use the context= mount option to force the context of all files on the mounted location.

SELinux booleans
The Portage module within Gentoo defines one boolean, called portage_use_nfs.


 * When portage_use_nfs is enabled, then the Portage-related domains will be able to manage the nfs_t and as such, allow for the Portage tree and other locations to be NFS-mounted without correcting their label (which is still supported when using the context= mount option).

To switch booleans, use setsebool or togglesebool.