SELinux/portage

Domains
The portage module provides the following domains:

File types/labels
The following table lists the file type/labels defined in the portage module:

Other types
Besides the files and domains, the following types are also defined in the portage module:

File locations
The policy offered only contains the right file context rules for the default locations. If you deviate from these locations, you'll need to update the contexts accordingly.

The following table provides an overview of the Portage settings (variables in make.conf) that are commonly changed by end users, and the file context that it should have.

If you use different locations, use the following commands to update the file contexts accordingly (example to use /var/repo/portage for the portage tree instead of /usr/portage):

Don't forget that Portage uses subdirectories with different labels (think distfiles or the repositories for the live ebuilds) so take care when relabelling locations!

If you are using different mounts, you might need to use the rootcontext= mount option to set the initial context. If the file system does not suppor SELinux contexts (like NFS), you can use the context= mount option to force the context of all files on the mounted location.

SELinux booleans
The Portage module within Gentoo defines three booleans, called gentoo_try_dontaudit, gentoo_portage_use_nfs and gentoo_wait_requests.


 * When gentoo_try_dontaudit is enabled, the policy will hide the AVC denials of which the Gentoo developers believe they are harmless (cosmetic). If this boolean is enabled and you are experiencing permission problems, it is wise to first disable the boolean and see if you now get any denials that could explain the problem.
 * When gentoo_portage_use_nfs is enabled, then the Portage-related domains will be able to manage the nfs_t and as such, allow for the Portage tree and other locations to be NFS-mounted without correcting their label (which is still supported when using the context= mount option).
 * When gentoo_wait_requests is enabled, then policy rules that are introduced to get things working, but which are temporary until the upstream project enhances its application (and a bug report is opened for it), are active. Disabling this boolean is only recommended if you are running the system with the proper patches and is more used for development traceability.

To switch booleans, use setsebool or togglesebool.