diff --git a/app-portage/virtual-appliance/Manifest b/app-portage/virtual-appliance/Manifest
new file mode 100644
index 0000000..4a52323
--- /dev/null
+++ b/app-portage/virtual-appliance/Manifest
@@ -0,0 +1,4 @@
+AUX hardened.diff 5341 SHA256 190e5b6f5ab5e776daf9986d93d9a86264292a4783e70c7b7acbcec808e99cc7 SHA512 4f8999ede71d3731f3b6175a96e9136907faae3fa97efa1fcd701945c2db98c21b5bd2c16928352629822ad8c3269659638f7e8bc6394432101f57be3a4d7ad3 WHIRLPOOL d757da6bb3593c1156736045b286a23d5d9029f9a1961a997ba09d184f176af89d5331431afb38753d086768771cf622fd30b71105d500d367ddc5c1750f7e53
+AUX varconfpath.diff 479 SHA256 a0ea9b4913ff77bce859b18c2643885f9e146ff80328e4e57dfa45556c47d243 SHA512 d463f21b4efcf8ec097dfee32864b1bd84c5cf4e2626587c97cebf8849978b0410718cf1fdd612536bdea9ee579fa3353885b0c12075acbac58c33cd65fb919b WHIRLPOOL af33ba687ffe829117b25b1b53a703a2eb599f5957782229937fed56fbf9618984afe1a63bf0378f9aea962f52588ca05e82e5082aea4eb9f921ccb89c162b9c
+DIST marduk-virtual-appliance-aa58756d5178.tar.bz2 48941 SHA256 72fd95203a6cacb4c25e12c8a1cd89d1ae4cfa4ae8eeb616cd3f92b2a2eb1294 SHA512 8625c6f2cccdcd04446c1998b4e640ee1d3e35b7eb244524c8ff8cba80ae8d5ff62be780fa82016d092ae2ff099e3ee8dd020b0ab2aed99fbff1c99cfc89c2de WHIRLPOOL b15ae7fcb33f9ad855a7a39b4abf7cec2d65057e6349dee7710eafa4c1c4b102273c95e600f567297c8ae6c579851788f88f33711d3d8d8c0c779371e969e0df
+EBUILD virtual-appliance-20140911.ebuild 1054 SHA256 8f9bc5322d2c5cc480548a1a3b73d52e1f9d23bbc59243fdf1f01b52cfda8b3c SHA512 9aaaf338e05c1624c8d39780028a94ee0fdeb7ce1141da475e3730f980c0c9540ce855eb7a8226015a9671aec402b6f15e093cb8c17e3f0a2fb283951359ebbd WHIRLPOOL 889fae12daa599b962b2ecc90497fbb474a1ce1185597ee7fb2c9e748a3ed2a5fd8b6363cc41f7bff8b86a7245c25469ad2c56cb5b0ee01f17f475a691061a90
diff --git a/app-portage/virtual-appliance/files/hardened.diff b/app-portage/virtual-appliance/files/hardened.diff
new file mode 100644
index 0000000..f324ff1
--- /dev/null
+++ b/app-portage/virtual-appliance/files/hardened.diff
@@ -0,0 +1,108 @@
+diff -Naur virtual-appliance.orig/configs/make.conf.amd64-hardened virtual-appliance/configs/make.conf.amd64-hardened
+--- virtual-appliance.orig/configs/make.conf.amd64-hardened	1970-01-01 01:00:00.000000000 +0100
++++ virtual-appliance/configs/make.conf.amd64-hardened	2014-09-26 09:44:30.000000000 +0200
+@@ -0,0 +1,14 @@
++CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4"
++CXXFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4"
++CHOST="x86_64-pc-linux-gnu"
++MAKEOPTS="-j2"
++USE="-* berkdb gdbm hardened nls nptl open_perms pam pcre peer_perms ubac unconfined unicode xattr zlib ptpax xtpax"
++ALSA_PCM_PLUGINS="*"
++CLEAN_DELAY="0"
++EMERGE_WARNING_DELAY="0"
++AUTO_CLEAN="yes"
++EPAUSE_IGNORE="1"
++EMERGE_DEFAULT_OPTS="--jobs=2 --autounmask=n"
++FEATURES="noinfo -test nodoc noman nostrip unmerge-orphans buildpkg notitles parallel-fetch -selinux -sesandbox"
++CURL_SSL="openssl"
++PYTHON_TARGETS="python2_7 python3_3"
+diff -Naur virtual-appliance.orig/Makefile virtual-appliance/Makefile
+--- virtual-appliance.orig/Makefile	2014-09-26 10:48:54.721491795 +0200
++++ virtual-appliance/Makefile	2014-09-24 09:41:19.000000000 +0200
+@@ -22,6 +22,9 @@
+ HEADLESS = NO
+ EXTERNAL_KERNEL = NO
+ UDEV = YES
++LOGGER = metalog
++PROFILE = 1
++SELINUX = NO
+ SOFTWARE = 1
+ PKGLIST = 0
+ ACCEPT_KEYWORDS = amd64
+@@ -149,8 +152,8 @@
+ 	@exit 1
+ 
+ sync_stage3:
+-	rsync --no-motd $(RSYNC_MIRROR)/releases/`echo $(ARCH)|sed 's/i.86/x86/'`/autobuilds/latest-stage3.txt latest-stage3.txt
+-	rsync --no-motd $(RSYNC_MIRROR)/releases/$(ARCH)/autobuilds/$$(grep stage3-$$(echo $(ARCH)|sed 's/x86/i686/')-[0-9]*\.tar\.bz2 latest-stage3.txt) stage3-$(ARCH)-latest.tar.bz2
++	rsync --no-motd $(RSYNC_MIRROR)/releases/`echo $(ARCH)|sed 's/-hardened//'|sed 's/i.86/x86/'`/autobuilds/latest-stage3.txt latest-stage3.txt
++	rsync --no-motd $(RSYNC_MIRROR)/releases/`echo $(ARCH)|sed 's/-hardened//'`/autobuilds/$$(grep stage3-$$(echo $(ARCH)|sed 's/x86/i686/')-[0-9]*\.tar\.bz2 latest-stage3.txt) stage3-$(ARCH)-latest.tar.bz2
+ 
+ 
+ stage3: stage3-$(ARCH)-latest.tar.bz2
+@@ -171,7 +174,7 @@
+ endif
+ 	echo ACCEPT_KEYWORDS=$(ACCEPT_KEYWORDS) >> $(CHROOT)/etc/portage/make.conf
+ 	-[ -f "appliances/$(APPLIANCE)/make.conf" ] && cat "appliances/$(APPLIANCE)/make.conf" >> $(CHROOT)/etc/portage/make.conf
+-	$(inroot) eselect profile set 1
++	$(inroot) eselect profile set $(PROFILE)
+ 	cp configs/locale.gen $(CHROOT)/etc/locale.gen
+ 	$(inroot) locale-gen
+ 	mkdir -p $(CHROOT)/etc/portage
+@@ -228,8 +231,8 @@
+ 
+ systools: sysconfig compile_options
+ 	@scripts/echo Installing standard system tools
+-	$(inroot) $(EMERGE) -n $(USEPKG) app-admin/metalog
+-	$(inroot) /sbin/rc-update add metalog default
++	$(inroot) $(EMERGE) -n $(USEPKG) app-admin/$(LOGGER)
++	$(inroot) /sbin/rc-update add $(LOGGER) default
+ ifeq ($(DASH),YES)
+ 	if ! test -e "$(STAGE4_TARBALL)";  \
+ 	then $(inroot) $(EMERGE) -n $(USEPKG) app-shells/dash; \
+@@ -238,6 +241,14 @@
+ 	fi
+ 	$(inroot) ln -sf dash /bin/sh
+ endif
++ifeq ($(SELINUX),YES)
++	$(inroot) $(EMERGE) -n $(USEPKG) -1 sys-apps/checkpolicy sys-apps/policycoreutils
++	$(inroot) $(EMERGE) -n $(USEPKG) -1 sec-policy/selinux-base
++	$(inroot) $(EMERGE) -n $(USEPKG) sec-policy/selinux-base-policy
++	$(inroot) /sbin/rc-update add selinux_gentoo boot
++	echo "tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t  0 0" >> $(CHROOT)/etc/fstab
++	echo "tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0" >> $(CHROOT)/etc/fstab
++endif
+ 	touch systools
+ 
+ grub: stage3 configs/grub.conf kernel scripts/grub-headless.sed
+@@ -413,13 +424,17 @@
+ 	@echo 'CHROOT=                  - The directory to build the chroot'
+ 	@echo 'DISK_SIZE=               - Size of the disk image'
+ 	@echo 'SWAP_SIZE=               - Size of the swap file'
+-	@echo 'ARCH=                    - Architecture to build for (x86 or amd64)'
++	@echo 'ARCH=                    - Architecture to build for'
++	@echo '                           (x86, amd64 or amd64-hardened)'
+ 	@echo 'VIRTIO=YES               - Configure the stage2/image to use virtio'
+ 	@echo 'EXTERNAL_KERNEL=YES      - Do not build a kernel in the image'
+ 	@echo 'HEADLESS=YES             - Build a headless (serial console) image.'
+ 	@echo 'REMOVE_PORTAGE_TREE=NO   - Do not exclude the portage tree from the image'
+ 	@echo 'PKGDIR=                  - Directory to use/store binary packages'
+ 	@echo 'ENABLE_SSHD=YES          - Enable sshd to start automatically in the image'
++	@echo 'LOGGER=metalog           - Logging daemon (metalog, syslog-ng)'
++	@echo 'PROFILE=1                - select profile'
++	@echo 'SELINUX=NO               - enable SELinux'
+ 	@echo
+ 	@scripts/echo 'Example'
+ 	@echo 'make APPLIANCE=mongodb HEADLESS=YES VIRTIO=YES stage4 qcow clean'
+diff -Naur virtual-appliance.orig/scripts/kernel.sh virtual-appliance/scripts/kernel.sh
+--- virtual-appliance.orig/scripts/kernel.sh	2014-09-11 15:11:09.000000000 +0200
++++ virtual-appliance/scripts/kernel.sh	2014-09-26 09:25:08.000000000 +0200
+@@ -24,7 +24,7 @@
+ make ${MAKEOPTS} oldconfig
+ make ${MAKEOPTS}
+ rm -rf /lib/modules/*
+-make ${MAKEOPTS} modules_install
++grep -q CONFIG_MODULES=y .config && make ${MAKEOPTS} modules_install
+ rm -f /boot/vmlinuz*
+ make ${MAKEOPTS} install
+ cp -a /usr/src/linux/.config /root/kernel.config
diff --git a/app-portage/virtual-appliance/files/varconfpath.diff b/app-portage/virtual-appliance/files/varconfpath.diff
new file mode 100644
index 0000000..92bfa68
--- /dev/null
+++ b/app-portage/virtual-appliance/files/varconfpath.diff
@@ -0,0 +1,12 @@
+diff -Naur virtual-appliance.orig/Makefile virtual-appliance/Makefile
+--- virtual-appliance.orig/Makefile	2014-09-11 15:11:09.000000000 +0200
++++ virtual-appliance/Makefile	2014-09-19 11:16:00.614382539 +0200
+@@ -41,7 +41,7 @@
+ CRITICAL = appliances/$(APPLIANCE)/critical
+ 
+ # Allow appliance to override variables
+--include appliance/$(APPLIANCE)/$(APPLIANCE).cfg
++-include appliances/$(APPLIANCE)/$(APPLIANCE).cfg
+ 
+ # Allow user to override variables
+ -include $(profile).cfg
diff --git a/app-portage/virtual-appliance/virtual-appliance-20140911.ebuild b/app-portage/virtual-appliance/virtual-appliance-20140911.ebuild
new file mode 100644
index 0000000..905aa12
--- /dev/null
+++ b/app-portage/virtual-appliance/virtual-appliance-20140911.ebuild
@@ -0,0 +1,52 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: $
+
+EAPI=4
+
+inherit eutils linux-info toolchain-funcs
+
+MY_REV="aa58756d5178"  # checkout revision
+MY_USR="marduk"        # user name
+
+MY_P="${MY_USR}-${PN}-${MY_REV}"
+
+DESCRIPTION="Programatically (re)create Gentoo Virtual Appliances"
+HOMEPAGE="https://bitbucket.org/marduk/virtual-appliance/wiki/Home"
+SRC_URI="https://bitbucket.org/${MY_USR}/${PN}/get/${MY_REV}.tar.bz2 -> ${MY_P}.tar.bz2"
+
+LICENSE="unknown"
+SLOT="0"
+KEYWORDS="amd64 x86"
+IUSE=""
+
+DEPEND="app-emulation/qemu
+        sys-block/parted"
+RDEPEND="${DEPEND}"
+
+S="${WORKDIR}/${MY_P}"
+
+pkg_setup() {
+	CONFIG_CHECK="BLK_DEV_NBD"
+	linux-info_pkg_setup
+}
+
+src_prepare() {
+	rm .hg_archival.txt
+	rm .hgignore
+	epatch ${FILESDIR}/varconfpath.diff
+	epatch ${FILESDIR}/hardened.diff
+}
+
+src_compile() {
+	einfo "Nothing to compile"
+}
+
+src_install() {
+	insinto /opt/${PN}
+	cp -r . ${D}/opt/${PN}
+
+	echo "CONFIG_PROTECT=\"/opt/${PN}/configs\"" > "${T}"/99${PN}
+	doenvd "${T}"/99${PN}
+
+}