diff --git a/install.packages b/install.packages
index 472ccfe..19d1144 100644
--- a/install.packages
+++ b/install.packages
@@ -1,5 +1,6 @@
net-misc/openssh
net-misc/wget
+sec-policy/selinux-aimee-os
sys-apps/busybox
sys-apps/systemd
sys-fs/btrfs-progs
diff --git a/portage/repos/aimee-os/metadata/layout.conf b/portage/repos/aimee-os/metadata/layout.conf
index d43e61c..ca9fee1 100644
--- a/portage/repos/aimee-os/metadata/layout.conf
+++ b/portage/repos/aimee-os/metadata/layout.conf
@@ -1 +1,2 @@
masters = gentoo
+thin-manifests = true
diff --git a/portage/repos/aimee-os/sec-policy/selinux-aimee-os/Manifest b/portage/repos/aimee-os/sec-policy/selinux-aimee-os/Manifest
new file mode 100644
index 0000000..da1fdd1
--- /dev/null
+++ b/portage/repos/aimee-os/sec-policy/selinux-aimee-os/Manifest
@@ -0,0 +1,2 @@
+DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f
+DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6
diff --git a/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.fc b/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.fc
new file mode 100644
index 0000000..5c032b2
--- /dev/null
+++ b/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.fc
@@ -0,0 +1,6 @@
+/usr/libexec/init-storage -- gen_context(system_u:object_r:aimee_storinit_exec_t,s0)
+/usr/bin/system-update -- gen_context(system_u:object_r:aimee_sysupdate_exec_t,s0)
+
+/var/run/storinit(/.*)? gen_context(system_u:object_r:aimee_storinit_runtime_t,s0)
+
+/var/lib/ssh/.*_key.* -- gen_context(system_u:object_r:sshd_key_t,s0)
diff --git a/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.if b/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.if
new file mode 100644
index 0000000..4bcb069
--- /dev/null
+++ b/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.if
@@ -0,0 +1,47 @@
+## Policy for Aimee OS utilities.
+
+########################################
+##
+## Execute system-update in the aimee_sysupdate_t
+## domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`aimee_os_system_update_domtrans',`
+ gen_require(`
+ type aimee_sysupdate_t, aimee_sysupdate_exec_t;
+ ')
+
+ domtrans_pattern($1, aimee_sysupdate_exec_t, aimee_sysupdate_t)
+')
+
+########################################
+##
+## Execute system-update in the aimee_sysupdate_t
+## domain, and allow the specified role the
+## aimee_sysupdate_t domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`aimee_os_run_system_update',`
+ gen_require(`
+ type aimee_sysupdate_t;
+ ')
+
+ aimee_os_system_update_domtrans($1)
+ role $2 types aimee_sysupdate_t;
+')
diff --git a/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te b/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
new file mode 100644
index 0000000..70f18af
--- /dev/null
+++ b/portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
@@ -0,0 +1,154 @@
+policy_module(aimee-os, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type aimee_storinit_t;
+type aimee_storinit_exec_t;
+init_daemon_domain(aimee_storinit_t, aimee_storinit_exec_t)
+
+type aimee_storinit_runtime_t;
+files_runtime_file(aimee_storinit_runtime_t)
+
+type aimee_sysupdate_t;
+type aimee_sysupdate_exec_t;
+userdom_user_application_domain(aimee_sysupdate_t, aimee_sysupdate_exec_t)
+
+type aimee_sysupdate_tmp_t;
+files_tmp_file(aimee_sysupdate_tmp_t)
+
+########################################
+#
+# init-storage local policy
+#
+
+allow aimee_storinit_t self:fifo_file rw_fifo_file_perms;
+allow aimee_storinit_t self:capability { chown fsetid sys_admin };
+
+manage_dirs_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
+manage_files_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
+files_runtime_filetrans(aimee_storinit_t, aimee_storinit_runtime_t, dir)
+
+corecmd_exec_bin(aimee_storinit_t)
+
+storage_raw_read_fixed_disk(aimee_storinit_t)
+fstools_domtrans(aimee_storinit_t)
+mount_exec(aimee_storinit_t)
+miscfiles_read_localization(aimee_storinit_t)
+mount_list_runtime(aimee_storinit_t)
+dev_read_sysfs(aimee_storinit_t)
+kernel_search_debugfs(aimee_storinit_t)
+kernel_list_unlabeled(aimee_storinit_t)
+fs_getattr_all_fs(aimee_storinit_t)
+fs_mount_all_fs(aimee_storinit_t)
+fs_unmount_all_fs(aimee_storinit_t)
+allow aimee_storinit_t aimee_storinit_runtime_t:dir mounton;
+
+gen_require(`
+ type mount_runtime_t;
+')
+dontaudit aimee_storinit_t mount_runtime_t:dir write;
+
+files_manage_var_dirs(aimee_storinit_t)
+files_manage_var_files(aimee_storinit_t)
+files_manage_var_symlinks(aimee_storinit_t)
+
+gen_require(`
+ type var_lib_t, var_lock_t, var_run_t;
+ type semanage_store_t;
+ type semanage_read_lock_t, semanage_trans_lock_t;
+ type system_dbusd_var_lib_t;
+ type init_var_lib_t;
+ type auditd_log_t;
+ type tmp_t;
+ attribute logfile;
+')
+manage_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
+manage_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
+manage_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
+manage_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
+manage_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
+manage_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
+manage_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
+manage_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
+manage_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
+manage_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
+manage_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
+manage_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
+manage_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
+manage_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+manage_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+manage_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+manage_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
+manage_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
+manage_dirs_pattern(aimee_storinit_t, logfile, logfile)
+manage_files_pattern(aimee_storinit_t, logfile, logfile)
+manage_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
+manage_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
+manage_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
+manage_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
+
+########################################
+#
+# system-update local policy
+#
+
+allow aimee_sysupdate_t self:capability { chown fowner fsetid sys_admin };
+allow aimee_sysupdate_t self:fifo_file rw_fifo_file_perms;
+allow aimee_sysupdate_t self:tcp_socket create_stream_socket_perms;
+
+files_tmp_filetrans(aimee_sysupdate_t, aimee_sysupdate_tmp_t, dir)
+manage_dirs_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
+manage_files_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
+
+filetrans_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, bin_t, file, "install")
+
+domain_use_interactive_fds(aimee_sysupdate_t)
+userdom_use_inherited_user_terminals(aimee_sysupdate_t)
+corecmd_exec_bin(aimee_sysupdate_t)
+selinux_get_fs_mount(aimee_sysupdate_t)
+seutil_read_config(aimee_sysupdate_t)
+userdom_search_user_home_dirs(aimee_sysupdate_t)
+kernel_read_system_state(aimee_sysupdate_t)
+fstools_exec(aimee_sysupdate_t)
+fstools_manage_runtime_files(aimee_sysupdate_t)
+miscfiles_read_localization(aimee_sysupdate_t)
+storage_raw_rw_fixed_disk(aimee_sysupdate_t)
+dev_read_sysfs(aimee_sysupdate_t)
+files_read_etc_files(aimee_sysupdate_t)
+systemd_read_resolved_runtime(aimee_sysupdate_t)
+systemd_stream_connect_resolved(aimee_sysupdate_t)
+corenet_tcp_connect_http_port(aimee_sysupdate_t)
+corenet_tcp_connect_soundd_port(aimee_sysupdate_t)
+files_manage_non_security_dirs(aimee_sysupdate_t)
+files_manage_non_security_files(aimee_sysupdate_t)
+mount_exec(aimee_sysupdate_t)
+mount_list_runtime(aimee_sysupdate_t)
+fs_getattr_all_fs(aimee_sysupdate_t)
+fs_mount_all_fs(aimee_sysupdate_t)
+fs_unmount_all_fs(aimee_sysupdate_t)
+dbus_system_bus_client(aimee_sysupdate_t)
+systemd_dbus_chat_logind(aimee_sysupdate_t)
+logging_send_syslog_msg(aimee_sysupdate_t)
+files_mounton_non_security(aimee_sysupdate_t)
+
+gen_require(`
+ type sysadm_t;
+ role sysadm_r;
+')
+aimee_os_run_system_update(sysadm_t, sysadm_r)
+
+########################################
+#
+# Additional policy rules for Aimee OS-specific behavior
+#
+
+# Allow ssh-keygen to create host key files in /var/lib/ssh
+gen_require(`
+ type ssh_keygen_t;
+ type sshd_key_t, var_lib_t;
+')
+allow ssh_keygen_t var_lib_t:dir rw_dir_perms;
+filetrans_pattern(ssh_keygen_t, var_lib_t, sshd_key_t, file)
diff --git a/portage/repos/aimee-os/sec-policy/selinux-aimee-os/selinux-aimee-os-2.20221101-r3.ebuild b/portage/repos/aimee-os/sec-policy/selinux-aimee-os/selinux-aimee-os-2.20221101-r3.ebuild
new file mode 100644
index 0000000..45116b9
--- /dev/null
+++ b/portage/repos/aimee-os/sec-policy/selinux-aimee-os/selinux-aimee-os-2.20221101-r3.ebuild
@@ -0,0 +1,14 @@
+# Copyright 2023 Dustin C. Hatch
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+IUSE=""
+MODS="aimee-os"
+POLICY_FILES="aimee-os.te aimee-os.fc aimee-os.if"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for AimeeOS"
+
+KEYWORDS="~amd64 ~arm ~arm64 ~x86"