SELinux workgroup: Difference between revisions
imported>Etbe No edit summary |
imported>Etbe No edit summary |
||
| Line 7: | Line 7: | ||
== Config == | == Config == | ||
boot.kernelParams = [ "security=selinux | # tell kernel to use SE Linux | ||
boot.kernelParams = [ "security=selinux" ]; | |||
# compile kernel with SE Linux support - but also support for other LSM modules | |||
boot.kernelPatches = [ { | boot.kernelPatches = [ { | ||
name = "selinux-config"; | name = "selinux-config"; | ||
| Line 19: | Line 20: | ||
SECURITY_SELINUX_AVC_STATS y | SECURITY_SELINUX_AVC_STATS y | ||
SECURITY_SELINUX_CHECKREQPROT_VALUE 0 | SECURITY_SELINUX_CHECKREQPROT_VALUE 0 | ||
DEFAULT_SECURITY_SELINUX n | |||
''; | ''; | ||
} ]; | } ]; | ||
# policycoreutils is for load_policy, fixfiles, setfiles, setsebool, semodile, and sestatus. | |||
environment.systemPackages = with pkgs; [ policycoreutils ]; | environment.systemPackages = with pkgs; [ policycoreutils ]; | ||
# build systemd with SE Linux support so it loads policy at boot and supports file labelling | |||
systemd.package = pkgs.systemd.override { withSelinux = true; }; | systemd.package = pkgs.systemd.override { withSelinux = true; }; | ||