commit: 5c6a06b757caf37b121ea1f5689d6960b4fa61bc
Author: Rahul Sandhu <nvraxn <AT> gmail <DOT> com>
AuthorDate: Mon Mar 10 21:28:17 2025 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Mar 24 08:39:48 2025 +0000
URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=5c6a06b7
selinux: use FEATURES to enable SELinux awareness instead of USE
USE is not really appropriate for toggling SELinux awareness as it is
not really package-related. Current SELinux profiles already set
FEATURES="selinux", so no changes are required in ::gentoo.
Portage currently has two main features of SELinux awareness:
- Relabeling all objects in ${D} before merging to the system root to
ensure correct labeling. This is not possible if the system's filecon
specs are broken, as portage would be unable to calculate the context
needed to be applied to objects.
- Transitioning the package build run in sandbox to a SELinux sandbox
domain specified by PORTAGE_SANDBOX_T. This however already has its
own feature, FEATURES="sesandbox".
Hence, pivot over to FEATURES="selinux" for all operations that take
place on filesystem objects.
It should be expected that FEATURES="-selinux" will completely disable
selinux awareness; the system administrator should be able to recover
from a situation where labeling is invalid using portage without having
to fully disabling SELinux from being loaded by the kernel.
This is useful for recovery situations where a core SELinux component
is broken, such as:
- policycoreutils
- system policy
- filesystem labelling
In those cases, as all SELinux awareness for portage can be turned off,
FEATURES="-selinux" has no additional requirements for a functioning
portage on SELinux systems, making it possible to fix broken SELinux
installations.
Signed-off-by: Rahul Sandhu <nvraxn <AT> gmail.com>
Closes: https://github.com/gentoo/portage/pull/1429
Signed-off-by: Sam James <sam <AT> gentoo.org>
lib/portage/package/ebuild/config.py | 2 +-
man/make.conf.5 | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/portage/package/ebuild/config.py
b/lib/portage/package/ebuild/config.py
index ceb9b8020a..fa190ab173 100644
--- a/lib/portage/package/ebuild/config.py
+++ b/lib/portage/package/ebuild/config.py
@@ -3446,7 +3446,7 @@ class config:
def selinux_enabled(self):
if getattr(self, "_selinux_enabled", None) is None:
self._selinux_enabled = 0
- if "selinux" in self["USE"].split():
+ if "selinux" in self.features:
if selinux:
if selinux.is_selinux_enabled() == 1:
self._selinux_enabled = 1
diff --git a/man/make.conf.5 b/man/make.conf.5
index d0e3296758..1ce2a6a942 100644
--- a/man/make.conf.5
+++ b/man/make.conf.5
@@ -736,6 +736,11 @@ dependencies.
.B sandbox
Enable sandbox\-ing when running \fBemerge\fR(1) and \fBebuild\fR(1).
.TP
+.B selinux
+Enable SELinux awareness. Portage will install objects to the filesystem with
+a SELinux context calculated from the current loaded policy.
+Do not toggle this \fBFEATURE\fR yourself.
+.TP
.B sesandbox
Enable SELinux sandbox\-ing. Do not toggle this \fBFEATURE\fR yourself.
.TP
