SELinux/Gentoo profiles

Gentoo profiles enable and tune SELinux-specific aspects for a Gentoo system. By default, Gentoo provides a couple of SELinux-enabled profiles, but it is very well possible to update other profiles to enable SELinux.

Profile structure
In order to simplify the management of SELinux settings in profiles, the profile part is created to be as independent of other profiles as possible. In other words, it does not contain a file to inherit settings from other profiles. As a result, the SELinux specific settings as offered through the profile can be "injected" in other profiles easily.

Usage of the selinux part
The profile part is enabled currently in the following profiles:

List of selinux-enabled profiles as seen from profile root

This is done by referencing the profile part in the profiles'  file, like so:

This means that the profile is the same as but with the  part overriding the settings (if any).

Default make settings
The SELinux settings in Gentoo are done through the following set of changes:

Default USE settings
The following USE flags are enabled by default when a SELinux profile is set.

The  USE flag is not mandatory if the policy store that is going to be used is   or, depending on the need for unconfined domains,   and.

Default FEATURES
The following  are enabled by default when a SELinux profile is set.

Enabling POLICY_TYPES
The  variable is declared as follows:

Default POLICY_TYPES variable declaration

This variable defines, in Gentoo, for which policy stores policies need to be built and managed.

Enabling PORTAGE_T
The  variable is declared as follows:

Default PORTAGE_T variable declaration

This variable defines the domain in which regular Portage operations are performed, and is used by Portage for dynamic domain transitions and domain validation.

Enabling PORTAGE_FETCH_T
The  variable is declared as follows:

Default PORTAGE_FETCH_T variable declaration

This variable defines the domain in which portage tree manipulation operations are performed.

Enabling PORTAGE_SANDBOX_T
The  variable is declared as follows:

Default PORTAGE_SANDBOX_T variable declaration

This variable defines the domain in which application builds are done by Portage.

Masked packages
No packages are marked as being specifically masked in SELinux enabled profiles.

Base packages
The following packages are made part of the  set when a SELinux profile is used:



Package-level forced USE flags
The following forced USE flags are set:


 * , and  now have   forced, as the management utilities on SELinux systems are based on Python. The build of Python in the libraries is only optional if it is used for embedded systems.
 * has  set, as  requires it and, as it is part of the base, needs to be forced for the immediate installation of SELinux (including to build stages)

System-wide forced USE flags
Unsurprisingly,  is forced enabled system-wide.

Environment overrides
The following settings are enabled:

SANDBOX_WRITE
The definition of  is extended to allow writes to  and  as SELinux-aware applications need to be able to write to this file system (in order to perform SELinux queries).

The same  is also extended to allow writes to  to support the   call.