From e9b21b0ca09a15255442df0238cedca0b13c7d3d Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 12 Mar 2023 21:34:15 -0500 Subject: [PATCH] Switch to "mcs" SELinux policy We're going to want the ability for processes to have unique categories, to enforce separation of container processes. Gentoo's SELinux policy supports both Multi-Category Security and Multi-Level Security modes, although the latter does not seem to work out of the box. --- build-rootfs.sh | 4 ++-- overlay/etc/selinux/config | 2 +- portage/config/target/etc/portage/make.conf/60-selinux.conf | 2 ++ 3 files changed, 5 insertions(+), 3 deletions(-) create mode 100644 portage/config/target/etc/portage/make.conf/60-selinux.conf diff --git a/build-rootfs.sh b/build-rootfs.sh index 8da681a..642298a 100755 --- a/build-rootfs.sh +++ b/build-rootfs.sh @@ -100,10 +100,10 @@ setfiles \ -F \ -m \ -r /mnt/gentoo \ - -c /mnt/gentoo/etc/selinux/strict/policy/policy.* \ + -c /mnt/gentoo/etc/selinux/mcs/policy/policy.* \ -e /mnt/gentoo/var/db/pkg \ -e /mnt/gentoo/etc/portage \ - /mnt/gentoo/etc/selinux/strict/contexts/files/file_contexts \ + /mnt/gentoo/etc/selinux/mcs/contexts/files/file_contexts \ /mnt/gentoo touch /mnt/gentoo/usr diff --git a/overlay/etc/selinux/config b/overlay/etc/selinux/config index ba488c2..f4ec7c8 100644 --- a/overlay/etc/selinux/config +++ b/overlay/etc/selinux/config @@ -12,4 +12,4 @@ SELINUX=enforcing # mls - Full SELinux protection with Multi-Level Security # mcs - Full SELinux protection with Multi-Category Security # (mls, but only one sensitivity level) -SELINUXTYPE=strict +SELINUXTYPE=mcs diff --git a/portage/config/target/etc/portage/make.conf/60-selinux.conf b/portage/config/target/etc/portage/make.conf/60-selinux.conf new file mode 100644 index 0000000..7a12e66 --- /dev/null +++ b/portage/config/target/etc/portage/make.conf/60-selinux.conf @@ -0,0 +1,2 @@ +USE="${USE} -unconfined" +POLICY_TYPES=mcs