Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

SELinux policy type for desktop
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
kwesadilo
Tux's lil' helper
Tux's lil' helper


Joined: 12 Jul 2010
Posts: 85
Location: Colorado
PostPosted: Sat Jul 05, 2025 4:57 am    Post subject: SELinux policy type for desktop Reply with quote
I'm setting up a desktop, and I figured I would try setting up SELinux, which I have not done before. I've seen discussion of useful SELinux policies on a desktop, but I haven't seen much discussion of this specifically for Gentoo.

In the install guide and elsewhere, I've seen suggestions that targeted is the easiest type to get working, and the incremental value of mls or mcs is low in a single-tenant environment. I will run a few services within my home network from this machine, but the probably biggest part of my threat model is me downloading and running something malicious by accident. Therefore, I chose targeted and followed the setup instructions.

At this point, I haven't even set up cron jobs or a desktop environment. My expectation is that I would boot in permissive mode, fix a few issues with less commonly used software, and be ready to boot into enforcing mode and build up the system a few packages at a time.

Instead, I see that basic actions generate numerous denials. I'll focus on portage, because I would think that would be the area where the Gentoo policies would be the most mature.

Code:
metis ~ # ausearch -ts boot -c emerge |  audit2allow -R

require {
        type portage_cache_t;
        type portage_conf_t;
        type portage_db_t;
        type portage_ebuild_t;
        type bin_t;
        type staff_t;
        type usr_t;
        type lib_t;
        type portage_exec_t;
        type portage_log_t;
        type ldconfig_exec_t;
        type portage_tmp_t;
        type portage_fetch_exec_t;
        class file { append create execute ioctl link lock open read relabelfrom relabelto rename setattr unlink write };
        class dir { add_name create relabelto remove_name rename rmdir setattr write };
        class capability { dac_override dac_read_search net_admin setuid };
        class process setexec;
}

#============= staff_t ==============
allow staff_t bin_t:dir { add_name relabelto remove_name setattr write };
allow staff_t bin_t:file { link relabelto rename setattr unlink write };
allow staff_t ldconfig_exec_t:file { rename unlink };
allow staff_t lib_t:dir { add_name create relabelto remove_name rmdir setattr write };
allow staff_t lib_t:file { link relabelto rename setattr unlink write };
allow staff_t portage_cache_t:dir { add_name remove_name write };
allow staff_t portage_cache_t:file { create ioctl lock open read rename setattr unlink write };
allow staff_t portage_conf_t:dir write;
allow staff_t portage_db_t:dir { add_name create remove_name rename rmdir setattr write };
allow staff_t portage_db_t:file { create ioctl link lock open read rename setattr unlink write };
allow staff_t portage_ebuild_t:dir write;
allow staff_t portage_exec_t:file setattr;
allow staff_t portage_fetch_exec_t:file setattr;
allow staff_t portage_log_t:dir { add_name write };
allow staff_t portage_log_t:file { append create ioctl lock open read setattr write };
allow staff_t portage_tmp_t:file { append create execute ioctl link lock open read relabelfrom rename setattr unlink write };
allow staff_t self:capability { dac_override dac_read_search net_admin setuid };
allow staff_t self:process setexec;
allow staff_t usr_t:dir { add_name create remove_name rmdir setattr write };
aptcacher_etc_filetrans_conf_dir(staff_t)
aptcacher_filetrans_cache_dir(staff_t)
container_file_root_filetrans(staff_t)
corecmd_manage_bin_symlinks(staff_t)
files_manage_etc_files(staff_t)
files_manage_etc_runtime_files(staff_t)
files_manage_etc_runtime_lnk_files(staff_t)
files_manage_mounttab(staff_t)
files_manage_usr_files(staff_t)
files_manage_var_files(staff_t)
files_rw_var_lib_dirs(staff_t)
libs_manage_ld_so(staff_t)
libs_manage_lib_symlinks(staff_t)
logging_manage_generic_log_dirs(staff_t)
logging_manage_generic_logs(staff_t)
miscfiles_manage_localization(staff_t)
miscfiles_manage_man_pages(staff_t)
portage_compile_domain(staff_t)
portage_read_config(staff_t)
portage_read_ebuild(staff_t)


Much of this is just from running emerge -pv1 portage. I believe that I've set filesystem context and relabled according to the steps in the install guide. The rules suggestions from audit2allow look superficially reasonable, and I would have expected that rules to allow emerge to work would have already been in the policy. As nvraxn notes in my last thread, mcs is the default policy, and many packages expect that.

Am I fundamentally misguided in trying to run targeted instead of the default mcs?

Did I miss something important, like I should be operating as unconfined_u instead of staff_u if I'm running targeted?

Order of magnitude, how many rules should I expect to have to write to boot a minimal install and run emerge?

Is running SELinux on a Gentoo desktop a fool's errand?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy