Gentoo Wiki


This article is part of the Security series.



SELinux was merged as a standard feature in the 2.6 kernel long ago. There is a seperate SELinux profile in Gentoo, but it has been slow getting into the main profile, mostly because other some of hardened stuff does not work with glibc 2.4/gcc 4.1. However, the hardened stuff is not needed to use SELinux anyway (but does complement it nicely).

SELinux has lots of potential, but currently, Red Hat/Fedora is the only major distributor that has it enabled by default.

The first step into getting SELinux into the mainstream on Gentoo is to create a "null" SELinux environment - one with all utilities SELinux aware and capable, but no policies. The resulting environment must not produce any more errors without the policy, and the existence of SELinux should be (almost) invisible. This way, users can "test drive" as much as SELinux as desired - either the Gentoo provided ones, the reference policy, or a self-written one.

Backing up

Warning: Since this process involves mucking with system packages, backing up first is recommended.

Adding SELinux support

Unmasking the "selinux" use flag

Create (or edit) the file (and any intermediate directories as needed) - /etc/portage/profile/use.mask and add the following line:

File: /etc/portage/profile/use.mask

This (somewhat counterintuitively) excludes the "selinux" USE flag being masked, as opposed to the more intuitive method of including the "selinux" USE being unmasked Essentially, the method used is the "double negative" way of doing it - because there is no /etc/portage/profile/use.unmask

Append "selinux" to USE

Either edit /etc/make.conf or - if gentoolkit installed:

euse -E selinux

Prevent SELinux policies from being installed

For this, it is possible to (ab)use /etc/portage/profile/package.provided. In previous versions of Portage, this was referred to as "injecting" a package.

find /usr/portage/sec-policy -mindepth 1 -maxdepth 1 -type d -name selinux\* -printf '%p-99999999\n' | cut -d/ -f 4- >> /etc/portage/profile/package.provided

If there is SELinux stuff in that file (unlikely, in fact most likely this file does not even exist yet), it must be removed (either before or after - possibly using "sort -u" or "uniq")

Disable "selinux" USE flag for busybox

Warning: Currently, BusyBox up to 1.9.0 does not seem to link if USE="selinux" is set, as it will fail with undefined reference to `fsetfilecon_raw'

Either do:

File: /etc/portage/package.use/busybox

sys-apps/busybox -selinux


File: /etc/portage/package.use

sys-apps/busybox -selinux

Rebuild portage with SELinux support

emerge -1N sys-apps/portage
Note: For the rest of the install process, you may see "!!! SELinux module not found. Please verify that it was installed." This is harmless and can be ignored

Re-emerge packages with "selinux" USE flag

emerge -uND world

As glibc is one of the things that uses the "selinux" USE flag, this could take a while.

Update configuration files

Either use etc-update or dispatch-conf

Create the /selinux directory

mkdir /selinux


shutdown -r now

Verifying the userspace

The system should rebooted normally, with no changes in operation, as

  1. The kernel doesn't have SELinux support
  2. There are no policies loaded

Installing an SELinux enabled kernel

Read the SELinux Handbook

Read the Gentoo SELinux Handbook and compile a kernel with SELinux support. The other stuff may be skipped, as the policies and labeling (may) be done later

TIP: Disabling SELinux on an SELinux kernel

It is possible to have use the same kernel for both SELinux and not. For the non-selinux kernel, add selinux=0 to the kernel command line

TIP: Append "selinux" and "loadpolicy" to FEATURES

Note: Due to circular dependency issues, the selinux and loadpolicy FEATURES cannot be added until the base policy is actually loaded

Portage can manage labels of packages it installs/removed. /etc/make.conf will need to be edited manually, as there is no corresponding "efeature" like there is "euse".

File: /etc/make.conf
FEATURES="selinux loadpolicy" 

TIP: Skipping /selinux in /etc/fstab

/selinux need not be added to /etc/fstab - if SELinux is enabled, it will be automounted anyway - which is good because the bootscripts would complain when SELinux is disabled (or not compiled in).

Verifying the new kernel

After the SELinux enabled kernel (if the instructions in the SELinux handbook were followed, the kernel should be in permissive mode), everything should be the same as before, as there are no policies loaded. However, the /selinux directory should now be populated.

Peparing for the first SELinux boot

Emerging the policies Portage

Now simply remove all the SELinux policies from /etc/portage/profile/package.provided then

emerge -uD world

Now that Gentoo uses the reference policy; this is almost certainly what you are going want to do. Note that quite a few fackages have corresponding selinux policies but are not automatically pulled in by USE=selinux. In that case, you'll have to emerge the policy manally.

Enable restorecond at boot

Easy enough:

rc-update add restorecond boot

Set auto-relabeling

For SELinux to work correctly, the files need to be labeled properly. For the files to be labeled properly, the policy needs to be loaded. The policy needs to be loaded for SELinux to work correctly. Ad nauseam. To break out of this loop, we can have the files auto-labeled early in the boot stage.

touch /.autorelabel

Configuring the policy store

Finally, the policy store needs to be configured. This is easy, just edit /etc/selinux/config. By default, it loads in permissive mode and the strict policy. The strict policy is too tight for all but the most draconian environments, almost everyone will want to change this to targeted. On the other hands, it probably better to to start in permissive mode on the first boot, and then switch to enforcing mode to see what kind of errors will occur without rendering your system totally inoperable.


Reboot now. It is technically possible to load the policy now, however its NOT recommended because existing processes won't be labeled correctly.

Undoing the process

This process is completely reversible

Re-masking the SELinux flag

Remove the "-selinux" flag from /etc/portage/profile/use.mask. If that would make /etc/portage/profile/use.mask empty, it may be deleted instead.

Removing the SELinux USE flag

Either edit /etc/make.conf or - if gentoolkit is installed:

euse -D selinux

Removing "selinux" and "loadpolicy" from FEATURES

/etc/make.conf will have to be edited manually, as there is no corresponding "efeature" like there is "euse".

Re-emerge all packages without SELinux support

emerge -uND world

Un-provide the SELinux policies

Remove all the sec-policy/* stuff from /etc/portage/profile/package.provided by hand. If that would make /etc/portage/profile/package.provided empty, it may be deleted, instead. If /etc/portage/profile directory is now empty, it may be deleted if desired.

Clean out remaining SELinux cruft

At least Portage 2.1.1 is recommened before doing this

emerge -a --depclean

TIP: Checking link consistency

Gentoolkit users, can check to make sure all the SELinux stuff is gone and nothing is broken.

revdep-rebuild -p

Remove /selinux

If a non-SELinux kernel is booted (or SELinux disabled), the /selinux may be removed.

rmdir /selinux

Recompile the kernel without SELinux

Optionally, recompile the kernel without SELinux support, or leave the selinux=0 on the kernel command line for the same effect.

Clearing the extended attributes

The name of the extended attribute used for SElinux is called security.selinux. To see what files have the attributes, use (replace / with the filesystem's mount point)

find / -xdev -exec getfattr -n security.selinux {} \;

To clear the attributes:

find / -xdev -exec setfattr -x security.selinux {} \;


While doing this process (and undoing it), my gdm stopped displaying the background.svg image in the themes; the background was simply grey and it was emittering errors in the syslog:

Mar 27 10:59:15 ardvarc gdmgreeter[8643]: GLib-GObject-WARNING:  invalid (NULL) pointer instance
Mar 27 10:59:15 ardvarc gdmgreeter[8643]: GLib-GObject-CRITICAL: g_signal_connect_data: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed

Re-emerging gnome-base/librsvg fixed it.

See Also

Retrieved from ""

Last modified: Fri, 05 Sep 2008 20:43:00 +0000 Hits: 8,585