As you're probably noticing from my twitter feed and the various posts earlier in my blog, I'm helping out with the Gentoo Hardened folks to get the SELinux support state up to par. Today, the Gentoo Hardened/SELinux Handbook had a few updates, but the most important change is that there is now a Gentoo Hardened SELinux FAQ (in draft). I'm hoping that, at the next IRC meeting, we can vote on having it pushed to the main site. Also, the latest changes I made to various SELinux policy ebuilds have been pushed to the main tree.

I'm now focusing on running various servers in KVM guests to test the SELinux policies. Following the Gentoo Virtual Mailhosting HOWTO creates a working system, although a few SELinux-specific steps had to be added (if you follow the guide exactly to the letter, you won't finish it). The issues are minor though: selinux-sasl needs to be installed manually (it isn't pulled in as a dependency), the PIDFILE and SSLPIDFILE variables in /etc/courier-imap/* need to point to /var/run/courier (and that location needs to be created) to match the file context definitions as suggested by upstream, you need to run postalias /etc/mail/aliases instead of newaliases and during the installation of Apache, you might need to chcon -t bin_t /usr/share/build-1/mkdir.sh as you'll get a permission denied otherwise.