SELinux on NixOS
a year ago
- #Security
- #NixOS
- #SELinux
- The author has been working on integrating SELinux into NixOS for ExpidusOS, a mobile OS based on NixOS.
- SELinux was already packaged in nixpkgs but required maintenance, which the author took up last year.
- The SELinux reference policy (refpolicy) was packaged, requiring specific Nix derivation adjustments.
- A basic NixOS module was created to enable SELinux, including kernel patches and configuration files.
- Initial attempts to enable SELinux failed until systemd with SELinux support was used, showing progress.
- The author encountered issues with policy file versions (policy.33 vs. policy.34) and resolved them by adjusting build flags.
- SELinux support was successfully enabled, with the correct policy version loading on boot.
- The author cleaned up SELinux handling in nixpkgs, adding a global config flag (selinuxSupport) for broader compatibility.
- Four pull requests were made to upstream SELinux support into nixpkgs and NixOS.
- Future plans include declarative policy creation within NixOS and investigating impacts on the Nix daemon.