We have been working on adding SELINUX support to SourceMage GNU/Linux. Currently it's NOT a full implementation, so your best bet is to answer 'n'to any selinux questions sorcery and/or cast might ask you.
NOTE: I (Arjan Bouter) have given up on SELINUX altogether. Mostly due to my lack of coding skills to write patches and the lack of interest by other Source Mage users. If anyone feels like picking up where i left off, please feel free to do so.
What SELINUX is: SELinux was created by the National Security Agency as an example of how mandatory access controls that can confine the actions of any process, including a superuser process, can be added into Linux. The focus of that work has not been on system assurance or other security features such as security auditing, although these elements are also important for a secure system.
The security mechanisms implemented in the system provide flexible support for a wide range of security policies. They make it possible to configure the system to meet a wide range of security requirements. The release includes a general-purpose security policy configuration designed to meet a number of security objectives as an example of how this may be done. The flexibility of the system allows the policy to be modified and extended to customize the security policy as required for any given installation.
More info can be found at: http://www.nsa.gov/selinux http://selinux.sourceforge.net
Where we are: Most of the work, adding patches and/or configure options to spells, is done. One of the most important spells which still needs work is coreutils. When that's done it's just a matter of creating the policy and enabling SELINUX during init, or before init during an initrd (this was done before the sysvinit patch was used). The policies most distro's seem to use are based on the SUSE policies. Those are freely available on their ftp server and could be used as the base for our own implementation.
What needs to be discussed: SELINUX is basically an all-or-nothing choice. It will only work when every spell which can use it is compiled with SELINUX support. We've got a couple of options to achieve this:
- create a selinux profile spell. Which can depend on the SELINUX specific spells and which could be checked for automagically by other spells. Those other spells can then silently enable selinux support.
- create a SELINUX grimoire. This grimoire would contain the spells which have SELINUX support and which will build with SELINUX support by default.
Both approaches have their advantages. When the spells are in their own grimoire we can update spells in the main grimoire whenever there's a new version. Because the SELINUX patches are frequently only available after a couple of weeks of new releases. The profile spell would have the advantage that sorcery doesn't have to make sure the selinux grimoire is mentioned 1st in the grimoire list. It would also be less confusing for our users. (one less grimoire to worry about.)
What to do when you 'accidentally' enabled some selinux support: No need to worry, the only thing that will fail for you is the latest glibc spell. Your box will be perfectly usable. This is because the SELINUX related spells do not install the init script which enables SELINUX. This was done intentionally 
When you want to get rid of everything SELINUX related you'll have to:
- dispel setools libselinux libsepol policy-coreutils checkpolicy policy
- cast -c -r glibc
- cast -c -r udev shadow linux-pam
this will remove any trace of SELINUX from your box (except maybe the kernel support, if you also enabled that).