Created attachment 920497 [details]
emerge --info

Hi,

I get SELinux denials while using "emerge" and would like to know whether this is a thing to be concerned about. Is there something I should change with the SELinux installation procedure as shown below, which builds upon:
- https://wiki.gentoo.org/wiki/Hardened_Gentoo
- https://wiki.gentoo.org/wiki/SELinux/Installation

You can download a .qcow2 image that went through below installation from:
https://github.com/duxsco/gentoo-bgo-upload/

Beware that the image comes with an empty /var/db/repos/gentoo.

The image is based upon:
https://www.gentoo.org/news/2025/02/20/gentoo-qcow2-images.html

Installation steps:

1. I launch the virtual machine with serial port enabled to allow for copy&paste:

```
su -l qemu -s /bin/bash -c "
        qemu-system-x86_64 \
        -m 8G -smp 4 -cpu host -accel kvm -vga virtio -smbios type=0,uefi=on \
        -drive if=pflash,unit=0,readonly=on,file=/usr/share/edk2/OvmfX64/OVMF_CODE_4M.qcow2,format=qcow2 \
        -drive file=/var/lib/libvirt/images/di-amd64-console-20250302T170343Z.qcow2 \
        -serial mon:stdio \
        -nographic \
        --sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny
"
```

2. Login as "root"

3. Fetch the repo:

```
mkdir /var/db/repos/gentoo && \
chown portage: /var/db/repos/gentoo && \
emerge-webrsync; echo $?
```

4. Switch over to hardened profile:

```
eselect profile set "default/linux/amd64/23.0/no-multilib/hardened/systemd" && \
source /etc/profile && \
emerge --oneshot sys-devel/gcc && \
emerge --oneshot sys-devel/binutils sys-libs/glibc && \
source /etc/profile; echo $?
```

5. Enable SELinux:


```
echo 'POLICY_TYPES="mcs"' >> /etc/portage/make.conf && \
eselect profile set "default/linux/amd64/23.0/no-multilib/hardened/selinux/systemd" && \
source /etc/profile && \
FEATURES="-selinux" emerge --oneshot selinux-base && \
FEATURES="-selinux -sesandbox" emerge --oneshot selinux-base && \
FEATURES="-selinux -sesandbox" emerge --oneshot selinux-base-policy && \
FEATURES="-selinux -sesandbox" emerge --ask --verbose --oneshot && \ selinux-policykit
FEATURES="-selinux -sesandbox" emerge --ask --verbose --oneshot && \ selinux-dbus
emerge -vuDN @world && \
systemctl enable auditd.service; echo $?


6. Update grub.cfg:

```
sed -i 's/^GRUB_CMDLINE_LINUX="/GRUB_CMDLINE_LINUX="lsm=selinux enforcing=0 /' /etc/default/grub && \
grub-mkconfig -o /boot/grub/grub.cfg; echo $?
```

7. Reboot

8. Relabel the system:

```
mkdir /mnt/gentoo && \
mount -o bind / /mnt/gentoo && \
my_mountpoints="$(mount | grep " on /" | awk '{print $3}' | grep -v "^/$" | while read -r I; do if [[ -d /mnt/gentoo$I ]]; then echo "$I"; fi; done | paste -d, -s -)" && \
setfiles -r /mnt/gentoo /etc/selinux/mcs/contexts/files/file_contexts /mnt/gentoo{$my_mountpoints} && \
umount /mnt/gentoo && \
rlpkg -a -r && \
semanage user -m -R "staff_r sysadm_r system_r" root; echo $?
```

9. Reboot

10. Do some sample installation and print out SELinux denials:

```
date +"%m/%d/%y '%H:%M:%S'" > timestamp.txt && \
sleep 10s && \
emerge app-misc/screen && \
cat timestamp.txt | xargs ausearch --message AVC,USER_AVC --start
```