Difference between revisions of "Workgroup:SELinux"
From NixOS Wiki
| Line 7: | Line 7: | ||
== Config == | == Config == | ||
| − | boot.kernelParams = [ "security=selinux | + | # tell kernel to use SE Linux |
| − | + | boot.kernelParams = [ "security=selinux" ]; | |
| + | # compile kernel with SE Linux support - but also support for other LSM modules | ||
boot.kernelPatches = [ { | boot.kernelPatches = [ { | ||
name = "selinux-config"; | name = "selinux-config"; | ||
| Line 19: | Line 20: | ||
SECURITY_SELINUX_AVC_STATS y | SECURITY_SELINUX_AVC_STATS y | ||
SECURITY_SELINUX_CHECKREQPROT_VALUE 0 | SECURITY_SELINUX_CHECKREQPROT_VALUE 0 | ||
| + | DEFAULT_SECURITY_SELINUX n | ||
''; | ''; | ||
} ]; | } ]; | ||
| − | + | # policycoreutils is for load_policy, fixfiles, setfiles, setsebool, semodile, and sestatus. | |
environment.systemPackages = with pkgs; [ policycoreutils ]; | environment.systemPackages = with pkgs; [ policycoreutils ]; | ||
| + | # build systemd with SE Linux support so it loads policy at boot and supports file labelling | ||
systemd.package = pkgs.systemd.override { withSelinux = true; }; | systemd.package = pkgs.systemd.override { withSelinux = true; }; | ||
Revision as of 03:36, 27 February 2019
This group is about adding SE Linux support to NixOS both booting and when run on a system like Debian or Fedora with SE Linux support.
People
Config
- tell kernel to use SE Linux
boot.kernelParams = [ "security=selinux" ];
- compile kernel with SE Linux support - but also support for other LSM modules
boot.kernelPatches = [ {
name = "selinux-config";
patch = null;
extraConfig =
SECURITY_SELINUX y
SECURITY_SELINUX_BOOTPARAM n
SECURITY_SELINUX_DISABLE n
SECURITY_SELINUX_DEVELOP y
SECURITY_SELINUX_AVC_STATS y
SECURITY_SELINUX_CHECKREQPROT_VALUE 0
DEFAULT_SECURITY_SELINUX n
;
} ];
- policycoreutils is for load_policy, fixfiles, setfiles, setsebool, semodile, and sestatus.
environment.systemPackages = with pkgs; [ policycoreutils ];
- build systemd with SE Linux support so it loads policy at boot and supports file labelling
systemd.package = pkgs.systemd.override { withSelinux = true; };
Links
- Proposed patch for subst file-contexts, this maps /nix/store/* directories to / for file labelling (both initial system labelling and dynamic labelling of new files).
- GitHub page for e-user's changes adding SE Linux support to NixOS.