Supporting SELinux in the coreutils

Supporting SELinux in the coreutils

An introduction

SELinux stands for Security Enhanced Linux. An excerpt from the official documentation:

Security Enhanced Linux (SELinux) provides an additional layer of system security. SELinux fundamentally answers the question: May <subject> do <action> to <object>?, for example: May a web server access files in users' home directories?

This page isn't meant to introduce the reader to SELinux (refer to the documentation for this). Instead it attempts to guide developers on how to work with SELinux while implementing coreutils, as some utils have options that work with SELinux (examples include the -Z flag present in cp, install and others).

This feature is only available in unprivileged mode on Linux systems (#![cfg(all(target_os = "linux", not(target_env = "kernel")))]).

How to work with SELinux

All SELinux-related features are feature gated by the feat_selinux argument, which isn't included in the default features. In order to activate SELinux in the built binaries, please provide the --features feat_selinux argument to cargo, like this:

# Build 'id' with SELinux
$ cargo build -p uu_id --no-default-features --features feat_selinux
# Build 'id' without SELinux
$ cargo build -p uu_id --no-default-features

Interfacing with SELinux from Rust is handled by the selinux crate.

An existing implementation of SELinux can be found in the id util, the changes that introduced it are found in this commit.

SELinux and CI/CD

To run SELinux in the GitHub CI, we start Fedora images, build our implementation with feat_selinux 4 and run the tests.

To develop locally

On Debian/Ubuntu:

sudo apt install selinux-basics selinux-policy-default auditd
sudo selinux-activate
sudo reboot
sestatus

Other resources

• The PR that kicked off the SELinux discussion