The following commit masked several USE flags in the base profile, but in the corresponding selinux profiles they were not unmasked: http://sources.gentoo.org/viewcvs.py/gentoo-x86/profiles/base/use.mask?r1=1.18&r2=1.19 I've been using some of those quite successfully. Portage 2.1.1_pre4-r4 (selinux/2005.1/x86/hardened, gcc-3.4.6/hardened, glibc-2.3.6-r4, 2.6.16-hardened-r11 i686) ================================================================= System uname: 2.6.16-hardened-r11 i686 Intel(R) Pentium(R) 4 CPU 1.60GHz Gentoo Base System version 1.12.4 Last Sync: Tue, 08 Aug 2006 16:20:01 +0000 app-admin/eselect-compiler: 2.0.0_rc2-r1 dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.17 sys-devel/gcc-config: [Not Present] sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -pipe -march=pentium4 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/eselect/compiler /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -pipe -march=pentium4 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--alphabetical" FEATURES="autoconfig collision-protect distlocks loadpolicy parallel-fetch sandbox selinux sfperms strict stricter userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common" LINGUAS="en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from /etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="x86 X a52 aac alsa bzip2 caps cjk crypt cups curl dts dvd dvdread elibc_glibc ffmpeg flac ftp gif gtk hardened idn input_devices_evdev input_devices_keyboard input_devices_mouse ipv6 jpeg kdeenablefinal kernel_linux linguas_en mad mikmod mmap mmx mp3 ncurses nptl offensive ogg opengl pam pdf pic png selinux sndfile sse sse2 ssl theora threads tiff truetype unicode userland_GNU video_cards_nvidia vorbis win32codecs xinerama xv xvid zlib" Unset: CTARGET, INSTALL_MASK, LC_ALL
fixed in cvs