Switch to "mcs" SELinux policy

We're going to want the ability for processes to have unique categories,
to enforce separation of container processes.  Gentoo's SELinux policy
supports both Multi-Category Security and Multi-Level Security modes,
although the latter does not seem to work out of the box.

build-rootfs.sh

@@ -100,10 +100,10 @@ setfiles \
     -F \
     -m \
     -r /mnt/gentoo \
-    -c /mnt/gentoo/etc/selinux/strict/policy/policy.* \
+    -c /mnt/gentoo/etc/selinux/mcs/policy/policy.* \
     -e /mnt/gentoo/var/db/pkg \
     -e /mnt/gentoo/etc/portage \
-    /mnt/gentoo/etc/selinux/strict/contexts/files/file_contexts \
+    /mnt/gentoo/etc/selinux/mcs/contexts/files/file_contexts \
     /mnt/gentoo
 
 touch /mnt/gentoo/usr

overlay/etc/selinux/config

@@ -12,4 +12,4 @@ SELINUX=enforcing
 #	mls      - Full SELinux protection with Multi-Level Security
 #	mcs      - Full SELinux protection with Multi-Category Security 
 #	           (mls, but only one sensitivity level)
-SELINUXTYPE=strict
+SELINUXTYPE=mcs

portage/config/target/etc/portage/make.conf/60-selinux.conf

@@ -0,0 +1,2 @@
+USE="${USE} -unconfined"
+POLICY_TYPES=mcs