SELinux/Gentoo profiles

From Gentoo Wiki
Jump to: navigation, search

Gentoo profiles enable and tune SELinux-specific aspects for a Gentoo system. By default, Gentoo provides a couple of SELinux-enabled profiles, but it is very well possible to update other profiles to enable SELinux.

Profile structure

In order to simplify the management of SELinux settings in profiles, the features/selinux profile part is created to be as independent of other profiles as possible. In other words, it does not contain a parent file to inherit settings from other profiles. As a result, the SELinux specific settings as offered through the profile can be "injected" in other profiles easily.

Usage of the selinux part

The features/selinux profile part is enabled currently in the following profiles:

CODE List of selinux-enabled profiles as seen from profile root
hardened/linux/x86/selinux
hardened/linux/amd64/selinux
hardened/linux/amd64/no-multilib/selinux
default/linux/x86/13.0/selinux
default/linux/amd64/13.0/selinux

This is done by referencing the features/selinux profile part in the profiles' parent file, like so:

root #cat hardened/linux/amd64/selinux/parent
..
../../../../features/selinux

This means that the profile is the same as hardened/linux/amd64 but with the features/selinux part overriding the settings (if any).

Default make settings

The SELinux settings in Gentoo are done through the following set of changes:

Default USE settings

The following USE flags are enabled by default when a SELinux profile is set.

USE flag Description
selinux Enable SELinux support in applications or pull in the proper SELinux policy
unconfined Enable support for unconfined domains
open_perms Enable support for the 'open' permission in SELinux for handing files

The unconfined USE flag is not mandatory if the policy store that is going to be used is strict or, depending on the need for unconfined domains, mcs and mls.

Default FEATURES

The following FEATURES are enabled by default when a SELinux profile is set.

FEATURE Description
selinux Enable SELinux support in Portage
sesandbox Enable SELinux sandbox domain in Portage (not related to SELinux sandbox application as part of older sys-apps/policycoreutils package!)
sfperms Enable smart file system permissions (update setuid/setgid files to remove read rights so only execute is left)

Enabling POLICY_TYPES

The POLICY_TYPES variable is declared as follows:

CODE Default POLICY_TYPES variable declaration
POLICY_TYPES="strict targeted"

This variable defines, in Gentoo, for which policy stores policies need to be built and managed.

Enabling PORTAGE_T

The PORTAGE_T variable is declared as follows:

CODE Default PORTAGE_T variable declaration
PORTAGE_T="portage_t"

This variable defines the domain in which regular Portage operations are performed, and is used by Portage for dynamic domain transitions and domain validation.

Enabling PORTAGE_FETCH_T

The PORTAGE_FETCH_T variable is declared as follows:

CODE Default PORTAGE_FETCH_T variable declaration
PORTAGE_FETCH_T="portage_fetch_t"

This variable defines the domain in which portage tree manipulation operations are performed.

Enabling PORTAGE_SANDBOX_T

The PORTAGE_SANDBOX_T variable is declared as follows:

CODE Default PORTAGE_SANDBOX_T variable declaration
PORTAGE_SANDBOX_T="portage_sandbox_t"

This variable defines the domain in which application builds are done by Portage.

Masked packages

No packages are marked as being specifically masked in SELinux enabled profiles.

Base packages

The following packages are made part of the @system set when a SELinux profile is used:

Package-level forced USE flags

The following forced USE flags are set:

System-wide forced USE flags

Unsurprisingly, USE="selinux" is forced enabled system-wide.

Environment overrides

The following settings are enabled:

SANDBOX_WRITE

The definition of SANDBOX_WRITE is extended to allow writes to /selinux and /sys/fs/selinux as SELinux-aware applications need to be able to write to this file system (in order to perform SELinux queries).

The same SANDBOX_WRITE is also extended to allow writes to /proc/self/ to support the setfscreatecon call.