[QUESTION] Default policies already deployed when "selinux" pkg group is installed?

[D3vil0p3r]

I am following https://wiki.archlinux.org/title/SELinux to install SELinux on my Arch environment.

I installed all selinux tools by installing selinux pkg group. By following Arch Wiki, at https://wiki.archlinux.org/title/SELinux#Installing_a_policy , it explains how to build and deploy the default policies (/etc/selinux/refpolicy/policy).

My 1st question: when I install selinux pkg group, the default SELinux policies stored in /etc/selinux/refpolicy/src/policy/ are already automatically deployed or I need to build and install them after selinux pkg group install?

My 2nd question: on /etc/selinux/config I see SELINUXTYPE=refpolicy-arch and in /etc/selinux/ I see:

/etc/selinux/refpolicy/policy
/etc/selinux/refpolicy-arch/policy

refpolicy has a src directory where I build, install and load by make the default policies. Once loaded, if I have SELINUXTYPE=refpolicy-arch in my config and I reboot the system and I run restorecon -r /, are refpolicy removed and refpolicy-arch automatically applied?

My 3rd question: in https://wiki.archlinux.org/title/SELinux#Installing_a_policy when deal with the creation of requiredmod.te file with the following content:

module requiredmod 1.0;

require {
        type devpts_t;
        type kernel_t;
        type device_t;
        type var_run_t;
        type udev_t;
        type hugetlbfs_t;
        type udev_tbl_t;
        type tmpfs_t;
        class sock_file write;
        class unix_stream_socket { read write ioctl };
        class capability2 block_suspend;
        class dir { write add_name };
        class filesystem associate;
}

#============= devpts_t ==============
allow devpts_t device_t:filesystem associate;

#============= hugetlbfs_t ==============
allow hugetlbfs_t device_t:filesystem associate;

#============= kernel_t ==============
allow kernel_t self:capability2 block_suspend;

#============= tmpfs_t ==============
allow tmpfs_t device_t:filesystem associate;

#============= udev_t ==============
allow udev_t kernel_t:unix_stream_socket { read write ioctl };
allow udev_t udev_tbl_t:dir { write add_name };
allow udev_t var_run_t:sock_file write;

and run the commands:

checkmodule -m -o requiredmod.mod requiredmod.te
semodule_package -o requiredmod.pp -m requiredmod.mod
semodule -i requiredmod.pp

"to remove a few messages from /var/log/audit/audit.log which are a nuisance to deal with in the reference policy", is it already done by these refpolicy-arch (so we don't need to do this hacky stuff) or not?

My 4th question: after the install of selinux pkg group, do I still need to label the entire filesystem by restorecon -r / or it is already automatically done?

[fishilico]

Hello,
Thanks for your questions. It has been quite a long time since I edited the content of https://wiki.archlinux.org/title/SELinux and it could be quite out-dated (at the time, the systemd support in refpolicy was quite lacking, and since then many things got improved).

My 2nd question: on /etc/selinux/config I see SELINUXTYPE=refpolicy-arch

I am maintaining 3 packages related to refpolicy (https://github.com/SELinuxProject/refpolicy):

• selinux-refpolicy-src installs the source modules of refpolicy. These files need to be built to be used.
• selinux-refpolicy-git installs built modules of refpolicy (git main version), as well as a /etc/selinux/config with SELINUXTYPE=refpolicy-git (cf. https://aur.archlinux.org/cgit/aur.git/tree/config?h=selinux-refpolicy-git)
• selinux-refpolicy-arch installs built modules of refpolicy (released version and minor patches such as those on https://github.com/archlinuxhardened/selinux-policy-arch/commits/2.20231002/ ), as well as a /etc/selinux/config with SELINUXTYPE=refpolicy-arch (cf. https://aur.archlinux.org/cgit/aur.git/tree/config?h=selinux-refpolicy-arch)

To use refpolicy-src (using make and make load like to wrote), you also need to configure /etc/selinux/config with SELINUXTYPE=refpolicy. This should answer your first question.

For your 3rd question,

is it already done by these refpolicy-arch (so we don't need to do this hacky stuff) or not?

I don't know. You could take a look at https://github.com/SELinuxProject/refpolicy

By the way, I am aware that selinux-refpolicy-arch has been lagging behind the releases of refpolicy for 1 year, due to lack of time to properly test each release on my side. If you test the latest release and open an issue or a Pull Request saying "I tested refpolicy version 2.20240916 with the build config from archlinuxhardened/selinux-policy-arch@015826e and it works", it will help me be more confident when performing updates 😃

My 4th question: after the install of selinux pkg group, do I still need to label the entire filesystem by restorecon -r / or it is already automatically done?

I don't remember of an automation like touch /.autorelabel && reboot that other Linux distributions has (like Fedora and Debian). Nevertheless, I don't know whether nowadays such automation would directly be in systemd. So I don't know the answer to your question, but in doubt, run restorecon -r / after installing the packages.

Sorry for not answering more precisely. Due to the end-of-year holidays I am currently away from my usual SELinux testing infrastructure and will not be able to really work on things until beginning of January. If you have other questions, feel free to add more.