In Bérangers blog, there was this short notice on my cut-down on SELinux work. There are several comments to it, some of which are seriously inaccurate. Quoting bad information in Wikipedia doesn’t make it more true either.

SELinux is OpenSource. The kernel parts are in the regular Linux kernel.
Absolutely not. SELinux is a heavily patched Kernel + some tools.
Read http://en.wikipedia.org/wiki/Security-Enhanced_Linux if in doubt.

Sorry, but Wikipedia has a really old quote in there. SELinux is (use the source, luke!) in the mainstream “vanilla” Kernel by Linus Torvalds. There are some improvements which aren’t in there yet, but in order to run a SELinux system, you do not need to patch your kernel. Anymore. The code in the Linux kernel works just fine. No serious bugs, just some new features are “incoming”, and will go into the next Linux kernel. The last larger change in SELinux was around kernel 2.6.9 or so I think (depends on your definition of “large” of course. But the last time I patched my kernel with a SELinux patch was around version 2.6.7 or 2.6.8.)

All the SELinux code is opensource, has rather strict coding guidelines and there are no magic patches from NSA being applied. (Well, basically use the coding style used in the Linux kernel…) Have a look at the mailing list archives on how patches in SELinux work. The NSA would have a hard time hiding secret spying backdoors in these patches, that will go through some more reviews before ending up in the Linux kernel. So you can trust them exactly as much as the Linux kernel itself. And definitely a lot more than the nvidia or ATI drivers. If I were the NSA and wanted to get a backdoor to many systems, I’d ask ATI and Nvidia to put the backdoors into their drivers. There is plenty of room in there.

AppArmor is not in the stock Linux kernel. And havn’t received a warm welcome so far…