This project manages SELinux support in Gentoo. This includes providing kernels with SELinux support, providing patches to userland utilities, writing strong Gentoo-specific default profiles, and deploying policies from Portage.
The intention of the project is to make SELinux available to more users, and improving its integration. Policy should be available for common daemons, and files merged in from Portage should have the correct file context. Currently we only work on servers, but desktops will be supported in the future.
Security-Enhanced Linux (SELinux) is a system of mandatory access control using type enforcement and role-based access control. It is implemented as a Linux Security Module (LSM). In addition to the kernel portion, SELinux consists of a library (libselinux) and userland utilities for compiling policy (checkpolicy), and loading policy (policycoreutils), in addition to other user programs.
One common misconception is that SELinux is a complete security solution, however, it is not. SELinux only provides one piece of a security solution. It can work well with other Hardened projects, such as PaX, for a more complete solution.
| Developer | Nickname | Role |
| Chris PeBenito | pebenito | Lead ( Policy, x86, AMD64 ) |
All developers can be reached by e-mail using nickname@gentoo.org.
The SELinux project has the following subprojects:
| Project | Lead | Description |
| Base Policy | Chris PeBenito | SELinux policy for the core system, including users, administrators, and daemons in the system profile. |
| Daemon Policy | SELinux policies for common daemons. | |
| x86 | Chris PeBenito | Support for the x86 architecture. |
| AMD64 | Chris PeBenito | Support for the AMD64 (x86-64) architecture. |
The SELinux project has the following subprojects planned:
| Project | Description |
| non-x86 Support | Profiles, installation guides, and support for non-x86 architectures. |
| Desktop | SELinux support on destktops. This involves enhancements to XFree's security, and accompanying policy. |
Resources offered by the SELinux project are:
SELinux can be installed on a new system by following the above install guide.
To participate in the SELinux project first join the mailing list at gentoo-hardened@gentoo.org. Then ask if there are plans to support something that you are interested in, propose a new subproject that you are interested in or choose one of the planned subprojects to work on. You may talk to the developers and users in the IRC channel #gentoo-hardened on irc.freenode.net for more information or just to chat about the project or any subprojects. If you don't have the ability to actively help by contributing work we will always need testers to use and audit the SELinux policies. All development, testing, feedback, and productive comments will be greatly appreciated.
The critical component of a SELinux system is having a strong policy. The team does its best to support as many daemons as possible. However, we cannot create policies for daemons with which we are unfamiliar. But we are happy to receive policy submissions for consideration. There are a few requirements:
The policy should be submitted on bugzilla. Please attach the .te and .fc files separately to the bug, not as a tarball. The bug should be assigned to selinux@gentoo.org.