AimeeOS/aimee-os
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Switch to "mcs" SELinux policy

Browse Source 
We're going to want the ability for processes to have unique categories,
to enforce separation of container processes.  Gentoo's SELinux policy
supports both Multi-Category Security and Multi-Level Security modes,
although the latter does not seem to work out of the box.
This commit is contained in:
Dustin
2023-03-12 21:34:15 -05:00
parent cb7e0a5819
commit e9b21b0ca0
3 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
build-rootfs.sh
View File

@@ -100,10 +100,10 @@ setfiles \
-F \ -F \
-m \ -m \
-r /mnt/gentoo \ -r /mnt/gentoo \
-c /mnt/gentoo/etc/selinux/strict/policy/policy.* \ -c /mnt/gentoo/etc/selinux/mcs/policy/policy.* \
-e /mnt/gentoo/var/db/pkg \ -e /mnt/gentoo/var/db/pkg \
-e /mnt/gentoo/etc/portage \ -e /mnt/gentoo/etc/portage \
/mnt/gentoo/etc/selinux/strict/contexts/files/file_contexts \ /mnt/gentoo/etc/selinux/mcs/contexts/files/file_contexts \
/mnt/gentoo /mnt/gentoo
touch /mnt/gentoo/usr touch /mnt/gentoo/usr

2
overlay/etc/selinux/config
View File

@@ -12,4 +12,4 @@ SELINUX=enforcing
# mls - Full SELinux protection with Multi-Level Security # mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security # mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level) # (mls, but only one sensitivity level)
SELINUXTYPE=strict SELINUXTYPE=mcs

2
portage/config/target/etc/portage/make.conf/60-selinux.conf Normal file
View File

@@ -0,0 +1,2 @@
USE="${USE} -unconfined"
POLICY_TYPES=mcs