SELinux desktop profiles came up on IRC earlier and I thought it might be a good idea to make a post about. Currently in gentoo there are only two selinux profiles:
meriadoc ~ # eselect profile list
Available profile symlink targets:
[1] default/linux/amd64/13.0
[2] default/linux/amd64/13.0/selinux
[3] default/linux/amd64/13.0/desktop
[4] default/linux/amd64/13.0/desktop/gnome
[5] default/linux/amd64/13.0/desktop/gnome/systemd
[6] default/linux/amd64/13.0/desktop/kde
[7] default/linux/amd64/13.0/desktop/kde/systemd
[8] default/linux/amd64/13.0/desktop/plasma
[9] default/linux/amd64/13.0/desktop/plasma/systemd
[10] default/linux/amd64/13.0/developer
[11] default/linux/amd64/13.0/no-multilib
[12] default/linux/amd64/13.0/systemd
[13] default/linux/amd64/13.0/x32
[14] hardened/linux/amd64
[15] hardened/linux/amd64/selinux *
[16] hardened/linux/amd64/no-multilib
[17] hardened/linux/amd64/no-multilib/selinux
[18] hardened/linux/amd64/x32
[19] hardened/linux/musl/amd64
[20] hardened/linux/musl/amd64/x32
[21] default/linux/uclibc/amd64
[22] hardened/linux/uclibc/amd64
How would one go about having both default/linux/amd64/13.0/desktop and selinux? We could add selinux versions of every single other profile but that would very quickly get unmanageable. Turns out making a custom one is pretty simple:
unlink /etc/portage/make.profile
mkdir /etc/portage/make.profile
echo 6 > /etc/portage/make.profile/eapi
echo "gentoo:default/linux/amd64/13.0/desktop" > /etc/portage/make.profile/parent
echo "gentoo:features/selinux" >> /etc/portage/make.profile/parent
The parent file will tell portage to first use the desktop profile and then use the selinux feature on top. It is important that the selinux line comes last since it needs to override several things that might be set earlier in the desktop profile.