hardened Gentoo SELinux policy for nx