Workgroup:SELinux

This group is about adding SE Linux support to NixOS both booting and when run on a system like Debian or Fedora with SE Linux support.

People

etbe

Config

tell kernel to use SE Linux

 boot.kernelParams = [ "security=selinux" ];

compile kernel with SE Linux support - but also support for other LSM modules

 boot.kernelPatches = [ {
       name = "selinux-config";
       patch = null;
       extraConfig = 
               SECURITY_SELINUX y
               SECURITY_SELINUX_BOOTPARAM n
               SECURITY_SELINUX_DISABLE n
               SECURITY_SELINUX_DEVELOP y
               SECURITY_SELINUX_AVC_STATS y
               SECURITY_SELINUX_CHECKREQPROT_VALUE 0
               DEFAULT_SECURITY_SELINUX n
             ;
       } ];

policycoreutils is for load_policy, fixfiles, setfiles, setsebool, semodile, and sestatus.

environment.systemPackages = with pkgs; [ policycoreutils ];

build systemd with SE Linux support so it loads policy at boot and supports file labelling

systemd.package = pkgs.systemd.override { withSelinux = true; };

Links

Proposed patch for subst file-contexts, this maps /nix/store/* directories to / for file labelling (both initial system labelling and dynamic labelling of new files).
GitHub page for e-user's changes adding SE Linux support to NixOS.