SELinux/Policy store

A policy store contains the SELinux policy package and system administrator modifications combined in a single, logical entity. Multiple stores can be used on a system, allowing administrators to have separate SELinux policies which can be switched (either directly or after reboot).

Policy store location
The policy store is located in in a subdirectory called after the policy store.

Pre-defined policy stores are strict, targeted, mcs and mls, but this can be fully configured by the administrator.

Policy differentiation
By allowing multiple policy stores, administrators can support different policies on a single system.

For instance, an administrator might have both strict and mcs available. The strict policy does not support MLS, whereas mcs does (but with a single security level).

Active policy store
The active policy store is configured in through the   variable:

POLICY_TYPES in make.conf
The policy stores that need to be maintained on a Gentoo system are covered by the  variable.

By default, this variable is defined in the Gentoo profile and set as follows:

The variable can be overridden through the file.

Switching active policy store
In order to switch the active policy store (i.e. the  in ) it is necessary to ensure that the base policy and other policy modules are built. In Gentoo, this is handled through the  variable which can be defined in.

Assuming the current active policy store is strict and the target policy store is mcs, then verify that both are set in the variable.

If this was not the case, update the variable and then rebuild all SELinux policy packages to make sure both policy stores are available and up to date.

Now switch to permissive mode. This is needed because in the next steps the new policy is loaded and a full file system relabel operation will be launched. This cannot be done using the existing policy in enforcing mode.

Edit and modify   to the new value (mcs in the example).

Load the policy modules for the new policy store.

The mcs policy store is now active. The next step is to relabel all files. This is done in two steps:
 * 1) relabel all files accessible
 * 2) relabel the files that are hidden beneath existing mount points

Edit the file so that the   and other SELinux mount parameters are adjusted accordingly. The main change needed here is when the previous policy store and the new policy store are different with respect to their MLS support. So for a strict to mcs switch, a trailing  would need to be added to all contexts.

This is all to it. Now reboot the system and the new policy store should be running, in enforcing mode.