Gentoo profiles enable and tune SELinux-specific aspects for a Gentoo system. By default, Gentoo provides a couple of SELinux-enabled profiles, but it is very well possible to update other profiles to enable SELinux.
In order to simplify the management of SELinux settings in profiles, the features/selinux profile part is created to be as independent of other profiles as possible. In other words, it does not contain a parent file to inherit settings from other profiles. As a result, the SELinux specific settings as offered through the profile can be "injected" in other profiles easily.
Usage of the selinux part
The features/selinux profile part is enabled currently in the following profiles:
default/linux/amd64/17.1/selinux default/linux/amd64/17.1/no-multilib/systemd/selinux default/linux/amd64/17.1/no-multilib/hardened/selinux default/linux/amd64/17.1/systemd/selinux default/linux/amd64/17.1/hardened/selinux default/linux/amd64/17.0/selinux default/linux/amd64/17.0/no-multilib/hardened/selinux default/linux/amd64/17.0/hardened/selinux default/linux/amd64/17.0/musl/hardened/selinux default/linux/x86/17.0/selinux default/linux/x86/17.0/hardened/selinux default/linux/x86/17.0/musl/selinux default/linux/arm/17.0/armv7a/selinux default/linux/arm/17.0/armv7a/hardened/selinux default/linux/arm/17.0/armv5te/selinux default/linux/arm/17.0/armv4t/selinux default/linux/arm/17.0/armv6j/selinux default/linux/arm/17.0/armv6j/hardened/selinux default/linux/arm/17.0/musl/armv7a/hardened/selinux default/linux/arm/17.0/musl/armv6j/hardened/selinux default/linux/arm64/17.0/selinux default/linux/arm64/17.0/systemd/selinux default/linux/arm64/17.0/hardened/selinux default/linux/arm64/17.0/musl/hardened/selinux
This is done by referencing the features/selinux profile part in the profiles' parent file, like so:
This means that the profile is the same as hardened/linux/amd64 but with the features/selinux part overriding the settings (if any).
Default make settings
The SELinux settings in Gentoo are done through the following set of changes:
Default USE settings
The following USE flags are enabled by default when a SELinux profile is set.
||Enable SELinux support in applications or pull in the proper SELinux policy|
||Enable support for unconfined domains|
||Enable support for the 'open' permission in SELinux for handing files|
unconfined USE flag is not mandatory if the policy store that is going to be used is
strict or, depending on the need for unconfined domains,
FEATURES are enabled by default when a SELinux profile is set.
|selinux||Enable SELinux support in Portage|
|sesandbox||Enable SELinux sandbox domain in Portage (not related to SELinux sandbox application as part of older sys-apps/policycoreutils package!)|
|sfperms||Enable smart file system permissions (update setuid/setgid files to remove read rights so only execute is left)|
POLICY_TYPES variable is declared as follows:
This variable defines, in Gentoo, for which policy stores policies need to be built and managed.
PORTAGE_T variable is declared as follows:
This variable defines the domain in which regular Portage operations are performed, and is used by Portage for dynamic domain transitions and domain validation.
PORTAGE_FETCH_T variable is declared as follows:
This variable defines the domain in which portage tree manipulation operations are performed.
PORTAGE_SANDBOX_T variable is declared as follows:
This variable defines the domain in which application builds are done by Portage.
No packages are marked as being specifically masked in SELinux enabled profiles.
The following packages are made part of the
@system set when a SELinux profile is used:
Package-level forced USE flags
The following forced USE flags are set:
- sys-libs/libselinux, sys-libs/libsemanage and app-admin/setools now have
USE="python"forced, as the management utilities on SELinux systems are based on Python. The build of Python in the libraries is only optional if it is used for embedded systems.
- dev-lang/python has
USE="xml"set, as sys-apps/policycoreutils requires it and, as it is part of the base, needs to be forced for the immediate installation of SELinux (including to build stages)
System-wide forced USE flags
USE="selinux" is forced enabled system-wide.
The following settings are enabled:
The definition of
SANDBOX_WRITE is extended to allow writes to /selinux and /sys/fs/selinux as SELinux-aware applications need to be able to write to this file system (in order to perform SELinux queries).
SANDBOX_WRITE is also extended to allow writes to /proc/self/ to support the