Workgroup:SELinux: Difference between revisions

From NixOS Wiki
imported>Etbe
No edit summary
imported>Vieta
style
 
(5 intermediate revisions by one other user not shown)
Line 1: Line 1:
This group is about adding SE Linux support to NixOS both booting and when run on a system like Debian or Fedora with SE Linux support.
== Selinux ==


== People ==
Security-Enhanced Linux (SELinux) is a security architecture for Linux® systems that allows administrators to have more control over who can access the system. It was originally developed by the United States National Security Agency (NSA) as a series of patches to the Linux kernel using Linux Security Modules (LSM). 


* [[User:etbe|etbe]]
==== Config Sample ====


== Config ==
<syntaxHighlight lang="nix">


  boot.kernelParams = [ "security=selinux" ];
boot.kernelParams = [ "security=selinux" ];
# not yet tested the kernel config
# compile kernel with SELinux support - but also support for other LSM modules
  boot.kernelPatches = [ {
boot.kernelPatches = [ {
         name = "selinux-config";
         name = "selinux-config";
         patch = null;
         patch = null;
         extraConfig = ''
         extraConfig = ''
                 SECURITY_SELINUX y
                 SECURITY_SELINUX y
                SECURITY_SELINUX_BOOTPARAM n
                SECURITY_SELINUX_DISABLE n
                 SECURITY_SELINUX_DEVELOP y
                 SECURITY_SELINUX_DEVELOP y
                 SECURITY_SELINUX_AVC_STATS y
                 SECURITY_SELINUX_AVC_STATS y
                 SECURITY_SELINUX_CHECKREQPROT_VALUE 0
                 SECURITY_SELINUX_CHECKREQPROT_VALUE 0
                DEFAULT_SECURITY_SELINUX n
               '';
               '';
         } ];
         } ];
# policycoreutils is for load_policy, fixfiles, setfiles, setsebool, semodile, and sestatus.
environment.systemPackages = with pkgs; [ policycoreutils ];
# build systemd with SELinux support so it loads policy at boot and supports file labelling
systemd.package = pkgs.systemd.override { withSelinux = true; };
</syntaxHighlight>
==== Links ====
* [https://www.redhat.com/de/topics/linux/what-is-selinux RHEL overview to SElinux]
* [https://wiki.archlinux.org/title/SELinux Archwiki to SElinux]
* [https://lore.kernel.org/selinux/7853167.K65cXu0y11@neuromancer/T/#u Proposed patch for subst file-contexts], this maps /nix/store/* directories to / for file labelling (both initial system labelling and dynamic labelling of new files).
* [https://github.com/NixOS/nix/pull/2670 GitHub page for e-user's changes adding SELinux support to NixOS].

Latest revision as of 08:27, 12 December 2023

Selinux

Security-Enhanced Linux (SELinux) is a security architecture for Linux® systems that allows administrators to have more control over who can access the system. It was originally developed by the United States National Security Agency (NSA) as a series of patches to the Linux kernel using Linux Security Modules (LSM).

Config Sample

 boot.kernelParams = [ "security=selinux" ];
 # compile kernel with SELinux support - but also support for other LSM modules
 boot.kernelPatches = [ {
        name = "selinux-config";
        patch = null;
        extraConfig = ''
                SECURITY_SELINUX y
                SECURITY_SELINUX_BOOTPARAM n
                SECURITY_SELINUX_DISABLE n
                SECURITY_SELINUX_DEVELOP y
                SECURITY_SELINUX_AVC_STATS y
                SECURITY_SELINUX_CHECKREQPROT_VALUE 0
                DEFAULT_SECURITY_SELINUX n
              '';
        } ];
 # policycoreutils is for load_policy, fixfiles, setfiles, setsebool, semodile, and sestatus.
 environment.systemPackages = with pkgs; [ policycoreutils ];
 # build systemd with SELinux support so it loads policy at boot and supports file labelling
 systemd.package = pkgs.systemd.override { withSelinux = true; };

Links