Simplicity is a form of art...

Custom CIL SELinux policies in Gentoo
by Sven Vermeulen, post on Thu 10 September 2015

In Gentoo, we have been supporting custom policy packages for a while now. Unlike most other distributions, which focus on binary packages, Gentoo has always supported source-based packages as default (although binary packages are supported as well).

A recent commit now also allows CIL files to be used.

Maintaining packages and backporting
by Sven Vermeulen, post on Wed 02 September 2015

A few days ago I committed a small update to policycoreutils, a SELinux related package that provides most of the management utilities for SELinux systems. The fix was to get two patches (which are committed upstream) into the existing release so that our users can benefit from the fixed issues without having to wait for a new release.

No more DEPENDs for SELinux policy package dependencies
by Sven Vermeulen, post on Sun 02 November 2014

I just finished updating 102 packages. The change? Removing the following from the ebuilds:

DEPEND="selinux? ( sec-policy/selinux-${packagename} )"

In the past, we needed this construction in both DEPEND and RDEPEND. Recently however, the SELinux eclass got updated with some logic to relabel files after the policy package is deployed …

Stepping through the build process with ebuild
by Sven Vermeulen, post on Sun 20 April 2014

Today I had to verify a patch that I pushed upstream but which was slightly modified. As I don't use the tool myself (it was a user-reported issue) I decided to quickly drum up a live ebuild for the application and install it (as the patch was in the upstream …

Overriding the default SELinux policies
by Sven Vermeulen, post on Wed 15 May 2013

Extending SELinux policies with additional rules is easy. As SELinux uses a deny by default approach, all you need to do is to create a policy module that contains the additional (allow) rules, load that and you're all set. But what if you want to remove some rules?

Well, sadly …