dustin
/
aimee-os
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Switch to "mcs" SELinux policy 

We're going to want the ability for processes to have unique categories,
to enforce separation of container processes.  Gentoo's SELinux policy
supports both Multi-Category Security and Multi-Level Security modes,
although the latter does not seem to work out of the box.
master
Dustin 2023-03-12 21:34:15 -05:00
parent cb7e0a5819
commit e9b21b0ca0
3 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
build-rootfs.sh
View File

@ -100,10 +100,10 @@ setfiles \
-F \ -F \
-m \ -m \
-r /mnt/gentoo \ -r /mnt/gentoo \
-c /mnt/gentoo/etc/selinux/strict/policy/policy.* \ -c /mnt/gentoo/etc/selinux/mcs/policy/policy.* \
-e /mnt/gentoo/var/db/pkg \ -e /mnt/gentoo/var/db/pkg \
-e /mnt/gentoo/etc/portage \ -e /mnt/gentoo/etc/portage \
/mnt/gentoo/etc/selinux/strict/contexts/files/file_contexts \ /mnt/gentoo/etc/selinux/mcs/contexts/files/file_contexts \
/mnt/gentoo /mnt/gentoo
touch /mnt/gentoo/usr touch /mnt/gentoo/usr

2
overlay/etc/selinux/config
View File

@ -12,4 +12,4 @@ SELINUX=enforcing
# mls - Full SELinux protection with Multi-Level Security # mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security # mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level) # (mls, but only one sensitivity level)
SELINUXTYPE=strict SELINUXTYPE=mcs

2
portage/config/target/etc/portage/make.conf/60-selinux.conf Normal file
View File

@ -0,0 +1,2 @@
USE="${USE} -unconfined"
POLICY_TYPES=mcs