Add semanage.sh script

The `semanage.sh` script starts an interactive shell in an alternate
mount namespace where `/etc/selinux` and `/var/lib/selinux` are
bind-mounted from the target filesystem.  This allows SELinux management
commands like `setsebool`, `semodule, `semanage`, etc. to work on the
target policy, since not all of them directly support working on an
alternate policy.

semanage.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+if [ -z ${UNSHARED} ]; then
+	export UNSHARED=1
+	exec unshare -m "$0" "$@"
+fi
+unset UNSHARED
+mount -o bind /mnt/gentoo/etc/selinux /etc/selinux
+mount -o bind /mnt/gentoo/var/lib/selinux /var/lib/selinux
+exec bash