This project manages SELinux support in Gentoo. This includes providing
kernels with SELinux support, providing patches to userland utilities, writing
strong Gentoo-specific default profiles, and maintaining a good default set of
Linux (SELinux) is a Mandatory Access Control system using type
enforcement and role-based access control. It is integrated within Linux as a
Linux Security Module (LSM)
implementation. In addition to the kernel portion, SELinux consists of a library
(libselinux) and userland utilities for compiling policy (checkpolicy), and loading
policy (policycoreutils), in addition to other user programs.
One common misconception is that SELinux is a complete security solution. It is
not. SELinux only provides access control on system objects. It can work well
with other Hardened projects, such as PaX, for a more complete solution.
Our goal is to make SELinux (with Gentoo Hardened) available to more users.
As a result, we
develop, improve and maintain the proper documentation and learning
material for end users to master SELinux
maintain a stable yet progressive set of userland tools that are needed
to interoperate with SELinux on a Linux system (such as the core utilities,
libselinux and more)
focus on the integration of SELinux and SELinux-awareness within the Gentoo
distribution, offering the necessary feedback on Portage and other utilities
develop, improve and maintain a good and secure default policy, based on the
reference policy, so that end users have no difficulties working with and
enhancing SELinux within their environment
||Lead ( Documentation, Userspace tools, Policy development )
|Anthony G. Basile
||Developer ( Policy development, Proxy (non developer contributors) )
||Developer ( Policy development, Support )
All developers can be reached by e-mail using email@example.com.
Special Thanks To
The following people are or have been actively contributing to the project:
||Policy development, support
||Previous SELinux subproject lead, policy development, packaging and support
Resources offered by the
I Want to Participate
To participate in the SELinux project first join the mailing list at
firstname.lastname@example.org. Then ask if there are plans to support
something that you are interested in, propose a new subproject that you are
interested in or choose one of the planned subprojects to work on. You may talk
to the developers and users in the IRC channel #gentoo-hardened on
irc.freenode.net for more information or just to chat about the project
or any subprojects. If you don't have the ability to actively help by
contributing work we will always need testers to use and audit the SELinux
policies. All development, testing, feedback, and productive comments will
be greatly appreciated.
The critical component of a SELinux system is having a strong policy. The
team does its best to support as many daemons as possible. However, we cannot
create policies for daemons with which we are unfamiliar. But we are happy
to receive policy submissions for consideration. There are a few requirements:
Make comments (in the policy and/or bug), so we can understand changes
from the Reference Policy example policy.
The policy should cover common installations. Please do not submit policies
for odd or nonstandard daemon configurations.
We need to know if the policy is dependent on another policy (for example
rpcd is dependent on portmap) other than base-policy.
The policy should be submitted on bugzilla.
Please attach the .te and .fc files separately to the bug, not as a tarball.
The bug should be Cc'ed to email@example.com and will be properly
reassigned by the team.