A policy store contains the SELinux policy package and system administrator modifications combined in a single, logical entity. Multiple stores can be used on a system, allowing administrators to have separate SELinux policies which can be switched (either directly or after reboot).
Policy store location
The policy store is located in /etc/selinux in a subdirectory called after the policy store.
Pre-defined policy stores are strict, targeted, mcs and mls, but this can be fully configured by the administrator.
By allowing multiple policy stores, administrators can support different policies on a single system.
For instance, an administrator might have both strict and mcs available. The strict policy does not support MLS, whereas mcs does (but with a single security level).
Active policy store
The active policy store is configured in /etc/selinux/config through the
# SELINUXTYPE can take one of these four values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. # mls - Full SELinux protection with Multi-Level Security # mcs - Full SELinux protection with Multi-Category Security # (mls, but only one sensitivity level) SELINUXTYPE=strict
POLICY_TYPES in make.conf
The policy stores that need to be maintained on a Gentoo system are covered by the
By default, this variable is defined in the Gentoo profile and set as follows:
The variable can be overridden through the /etc/portage/make.conf file.
Managing policy stores
Switching active policy store
In order to switch the active policy store (i.e. the
SELINUXTYPE in /etc/selinux) it is necessary to ensure that the base policy and other policy modules are built. In Gentoo, this is handled through the
POLICY_TYPES variable which can be defined in /etc/portage/make.conf.
Assuming the current active policy store is strict and the target policy store is mcs, then verify that both are set in the variable.
If this was not the case, update the variable and then rebuild all SELinux policy packages to make sure both policy stores are available and up to date.
emerge -1 $(qlist -IC sec-policy)
Now switch to permissive mode. This is needed because in the next steps the new policy is loaded and a full file system relabel operation will be launched. This cannot be done using the existing policy in enforcing mode.
Edit /etc/selinux/config and modify
SELINUXTYPE to the new value (mcs in the example).
nano -w /etc/selinux/config
Edit /etc/selinux/sepolgen.conf and modify
SELINUX_DEVEL_PATH to the new paths in the new policy store (mcs in the example).
nano -w /etc/selinux/sepolgen.conf
Load the policy modules for the new policy store.
semodule -b base.pp -i $(ls *.pp | grep -v base.pp)
The mcs policy store is now active. The next step is to relabel all files. This is done in two steps:
- relabel all files accessible
- relabel the files that are hidden beneath existing mount points
rlpkg -a -r
mount -o bind / /mnt/gentoo
setfiles -r /mnt/gentoo /etc/selinux/mcs/contexts/files/file_contexts /mnt/gentoo/dev
setfiles -r /mnt/gentoo /etc/selinux/mcs/contexts/files/file_contexts /mnt/gentoo/lib64
Edit the /etc/fstab file so that the
rootcontext= and other SELinux mount parameters are adjusted accordingly. The main change needed here is when the previous policy store and the new policy store are different with respect to their MLS support. So for a strict to mcs switch, a trailing
:s0 would need to be added to all contexts.
This is all to it. Now reboot the system and the new policy store should be running, in enforcing mode.