rsync -a /etc/default/grub /etc/default/._cfg0000_grub && \
sed -i 's/^GRUB_CMDLINE_LINUX_DEFAULT="\(.*\)"$/GRUB_CMDLINE_LINUX_DEFAULT="\1 lsm=selinux gk.preserverun.disabled=1"/' /etc/default/._cfg0000_grub

➤ semanage login -l

Login Name                SELinux User

__default__               user_u
root                      root

➤ semanage user -l
SELinux User    SELinux Roles

root            staff_r sysadm_r
staff_u         staff_r sysadm_r
sysadm_u        sysadm_r
system_u        system_r
unconfined_u    unconfined_r
user_u          user_r

mkdir /mnt/gentoo
# mount /boot and /efi*, too!
mount -o bind / /mnt/gentoo
setfiles -r /mnt/gentoo /etc/selinux/mcs/contexts/files/file_contexts /mnt/gentoo/{dev,home,proc,run,sys,tmp,boot,efi*,var/cache/binpkgs,var/cache/distfiles,var/db/repos/gentoo,var/tmp}
umount /mnt/gentoo
rlpkg -a -r

➤ semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0                *

➤ semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

root            sysadm     s0         s0-s0:c0.c1023                 staff_r sysadm_r
staff_u         staff      s0         s0-s0:c0.c1023                 staff_r sysadm_r
sysadm_u        sysadm     s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r
unconfined_u    unconfined s0         s0-s0:c0.c1023                 unconfined_r
user_u          user       s0         s0                             user_r

semanage login -a -s staff_u david
semanage login -m -s user_u __default__
semanage login -a -s root root
restorecon -RFv /home/david /root
bash -c 'echo "%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL" | EDITOR="tee" visudo -f /etc/sudoers.d/wheel; echo $?'

semanage user -m -R "staff_r sysadm_r system_r" root
semanage user -m -R "staff_r sysadm_r system_r" staff_u

rc-update add auditd

➤ tree /etc/portage/patches
/etc/portage/patches
└── sys-apps
    └── openrc
        └── init-early.sh.patch

2 directories, 1 files

➤ semanage port -l | grep -e ssh -e Port
SELinux Port Type              Proto    Port Number
ssh_port_t                     tcp      22
➤ semanage port -a -t ssh_port_t -p tcp 50022
➤ semanage port -l | grep -e ssh -e Port
SELinux Port Type              Proto    Port Number
ssh_port_t                     tcp      50022, 22

➤ semanage fcontext -l | grep "\\\.gnupg"
/home/[^/]+/\.gnupg(/.+)?           all files  user_u:object_r:gpg_secret_t:s0
/home/[^/]+/\.gnupg/S\.gpg-agent.*  socket     user_u:object_r:gpg_agent_tmp_t:s0
/home/[^/]+/\.gnupg/S\.scdaemon     socket     user_u:object_r:gpg_agent_tmp_t:s0
/home/[^/]+/\.gnupg/crls\.d(/.+)?   all files  user_u:object_r:dirmngr_home_t:s0
/home/[^/]+/\.gnupg/log-socket      socket     user_u:object_r:gpg_agent_tmp_t:s0
/home/david/\.gnupg(/.+)?           all files  staff_u:object_r:gpg_secret_t:s0
/home/david/\.gnupg/S\.gpg-agent.*  socket     staff_u:object_r:gpg_agent_tmp_t:s0
/home/david/\.gnupg/S\.scdaemon     socket     staff_u:object_r:gpg_agent_tmp_t:s0
/home/david/\.gnupg/crls\.d(/.+)?   all files  staff_u:object_r:dirmngr_home_t:s0
/home/david/\.gnupg/log-socket      socket     staff_u:object_r:gpg_agent_tmp_t:s0
/root/\.gnupg(/.+)?                 all files  root:object_r:gpg_secret_t:s0
/root/\.gnupg/S\.gpg-agent.*        socket     root:object_r:gpg_agent_tmp_t:s0
/root/\.gnupg/S\.scdaemon           socket     root:object_r:gpg_agent_tmp_t:s0
/root/\.gnupg/crls\.d(/.+)?         all files  root:object_r:dirmngr_home_t:s0
/root/\.gnupg/log-socket            socket     root:object_r:gpg_agent_tmp_t:s0

while read -r line; do

    case $(awk '{print $2}' <<<"${line}") in
        regular)
            file_type="f";;
        directory)
            file_type="d";;
        character)
            file_type="c";;
        block)
            file_type="b";;
        socket)
            file_type="s";;
        symbolic)
            file_type="l";;
        named)
            file_type="p";;
        all)
            file_type="a";;
    esac

    selinux_type="$(awk -F':' '{print $(NF-1)}' <<<"${line}")"
    path="$(awk '{print $1}' <<<"${line}")"

    semanage fcontext -a -f "${file_type}" -s staff_u -t "${selinux_type}" "$(sed 's|home/\[\^/\]+/\\\.gnupg|etc/gentoo-installation/gnupg|' <<<${path})"
done < <(semanage fcontext -l | grep "/home/\[\^/\]+/\\\.gnupg")

➤ semanage fcontext -l | grep -e "\\\.gnupg" -e "/etc/gentoo-installation/gnupg"
/etc/gentoo-installation/gnupg(/.+)?           all files  staff_u:object_r:gpg_secret_t:s0
/etc/gentoo-installation/gnupg/S\.gpg-agent.*  socket     staff_u:object_r:gpg_agent_tmp_t:s0
/etc/gentoo-installation/gnupg/S\.scdaemon     socket     staff_u:object_r:gpg_agent_tmp_t:s0
/etc/gentoo-installation/gnupg/crls\.d(/.+)?   all files  staff_u:object_r:dirmngr_home_t:s0
/etc/gentoo-installation/gnupg/log-socket      socket     staff_u:object_r:gpg_agent_tmp_t:s0
/home/[^/]+/\.gnupg(/.+)?                      all files  user_u:object_r:gpg_secret_t:s0
/home/[^/]+/\.gnupg/S\.gpg-agent.*             socket     user_u:object_r:gpg_agent_tmp_t:s0
/home/[^/]+/\.gnupg/S\.scdaemon                socket     user_u:object_r:gpg_agent_tmp_t:s0
/home/[^/]+/\.gnupg/crls\.d(/.+)?              all files  user_u:object_r:dirmngr_home_t:s0
/home/[^/]+/\.gnupg/log-socket                 socket     user_u:object_r:gpg_agent_tmp_t:s0
/home/david/\.gnupg(/.+)?                      all files  staff_u:object_r:gpg_secret_t:s0
/home/david/\.gnupg/S\.gpg-agent.*             socket     staff_u:object_r:gpg_agent_tmp_t:s0
/home/david/\.gnupg/S\.scdaemon                socket     staff_u:object_r:gpg_agent_tmp_t:s0
/home/david/\.gnupg/crls\.d(/.+)?              all files  staff_u:object_r:dirmngr_home_t:s0
/home/david/\.gnupg/log-socket                 socket     staff_u:object_r:gpg_agent_tmp_t:s0
/root/\.gnupg(/.+)?                            all files  root:object_r:gpg_secret_t:s0
/root/\.gnupg/S\.gpg-agent.*                   socket     root:object_r:gpg_agent_tmp_t:s0
/root/\.gnupg/S\.scdaemon                      socket     root:object_r:gpg_agent_tmp_t:s0
/root/\.gnupg/crls\.d(/.+)?                    all files  root:object_r:dirmngr_home_t:s0
/root/\.gnupg/log-socket                       socket     root:object_r:gpg_agent_tmp_t:s0

restorecon -RFv /etc/gentoo-installation/

➤ sesearch --allow --source crond_t --class file --perm getattr,open,read | grep "_cron_spool_t"
allow crond_t system_cron_spool_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ fcron_crond ]:True
allow crond_t system_cron_spool_t:file { getattr ioctl lock open read watch };
allow crond_t user_cron_spool_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ fcron_crond ]:True
allow crond_t user_cron_spool_t:file { getattr ioctl lock open read };

➤ semanage fcontext -l | grep "/var/spool/cron/crontabs"
/var/spool/cron/crontabs                           directory          system_u:object_r:cron_spool_t:s0
/var/spool/cron/crontabs/.*                        regular file       <<None>>
/var/spool/cron/crontabs/munin                     regular file       system_u:object_r:system_cron_spool_t:s0

➤ semanage fcontext -a -f f -t user_cron_spool_t "/var/spool/cron/crontabs/[^\.].*"

➤ restorecon -RFv /var/spool/cron/crontabs
Relabeled /var/spool/cron/crontabs/root from system_u:object_r:unlabeled_t:s0 to system_u:object_r:user_cron_spool_t:s0

➤ semanage fcontext -l | grep "/var/lib/.*tables"
/var/lib/ip6?tables(/.*)?                          all files          system_u:object_r:initrc_tmp_t:s0

➤ sesearch --allow --source iptables_t --target initrc_tmp_t --class file --perm getattr,ioctl,open,read
allow iptables_t initrc_tmp_t:file { append getattr ioctl lock open read write };

semanage fcontext -a -t initrc_tmp_t "/var/lib/nftables(/[^\.].*)?"

➤ restorecon -RFv /var/lib/nftables
Relabeled /var/lib/nftables from system_u:object_r:var_lib_t:s0 to system_u:object_r:initrc_tmp_t:s0
Relabeled /var/lib/nftables/rules-save from system_u:object_r:var_lib_t:s0 to system_u:object_r:initrc_tmp_t:s0

➤ semanage fcontext -l | grep "/usr/share" | grep -e "\.sh" -e "\.py" -e "\.pl"
/usr/share/GNUstep/Makefiles/[^/]*\.sh             regular file       system_u:object_r:bin_t:s0
/usr/share/PackageKit/pk-upgrade-distro\.sh        regular file       system_u:object_r:bin_t:s0
/usr/share/ajaxterm/ajaxterm\.py.*                 regular file       system_u:object_r:bin_t:s0
/usr/share/ajaxterm/qweb\.py.*                     regular file       system_u:object_r:bin_t:s0
/usr/share/apr(-[0-9])?/build/[^/]+\.sh            regular file       system_u:object_r:bin_t:s0
/usr/share/build-1/[^/]+\.sh                       regular file       system_u:object_r:bin_t:s0
/usr/share/build-1/mkdir\.sh                       regular file       system_u:object_r:bin_t:s0
/usr/share/cluster/.*\.sh                          all files          system_u:object_r:bin_t:s0
/usr/share/ifupdown2/__main__\.py                  regular file       system_u:object_r:bin_t:s0
/usr/share/printconf/util/print\.py                regular file       system_u:object_r:bin_t:s0
/usr/share/sandbox/sandboxX\.sh                    regular file       system_u:object_r:bin_t:s0
/usr/share/sectool/.*\.py                          regular file       system_u:object_r:bin_t:s0
/usr/share/shorewall/compiler\.pl                  regular file       system_u:object_r:bin_t:s0
/usr/share/system-config-printer/applet\.py        regular file       system_u:object_r:bin_t:s0
/usr/share/texlive/texmf-dist/scripts/checklistings/checklistings\.sh regular file       system_u:object_r:bin_t:s0
/usr/share/virtualbox/VBoxCreateUSBNode\.sh        regular file       system_u:object_r:udev_helper_exec_t:s0

➤ sesearch --allow --source sysadm_t --target bin_t --class file --perm execute,execute_no_trans
allow sysadm_t bin_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };

semanage fcontext -a -f f -t bin_t "/usr/share/genkernel/[^/]+\.(pl|py|sh)"

➤ restorecon -RFv /usr/share/genkernel
Relabeled /usr/share/genkernel/gen_arch.sh from system_u:object_r:usr_t:s0 to system_u:object_r:bin_t:s0
Relabeled /usr/share/genkernel/gen_bootloader.sh from system_u:object_r:usr_t:s0 to system_u:object_r:bin_t:s0
Relabeled /usr/share/genkernel/gen_cmdline.sh from system_u:object_r:usr_t:s0 to system_u:object_r:bin_t:s0
Relabeled /usr/share/genkernel/gen_compile.sh from system_u:object_r:usr_t:s0 to system_u:object_r:bin_t:s0
Relabeled /usr/share/genkernel/gen_configkernel.sh from system_u:object_r:usr_t:s0 to system_u:object_r:bin_t:s0
Relabeled /usr/share/genkernel/gen_determineargs.sh from system_u:object_r:usr_t:s0 to system_u:object_r:bin_t:s0
Relabeled /usr/share/genkernel/gen_funcs.sh from system_u:object_r:usr_t:s0 to system_u:object_r:bin_t:s0
Relabeled /usr/share/genkernel/gen_initramfs.sh from system_u:object_r:usr_t:s0 to system_u:object_r:bin_t:s0
Relabeled /usr/share/genkernel/gen_moddeps.sh from system_u:object_r:usr_t:s0 to system_u:object_r:bin_t:s0
Relabeled /usr/share/genkernel/gen_package.sh from system_u:object_r:usr_t:s0 to system_u:object_r:bin_t:s0
Relabeled /usr/share/genkernel/gen_worker.sh from system_u:object_r:usr_t:s0 to system_u:object_r:bin_t:s0
Relabeled /usr/share/genkernel/merge.pl from system_u:object_r:usr_t:s0 to system_u:object_r:bin_t:s0
Relabeled /usr/share/genkernel/path_expander.py from system_u:object_r:usr_t:s0 to system_u:object_r:bin_t:s0

➤ semanage fcontext -l | grep "^/var/tmp"
/var/tmp                                           directory          system_u:object_r:tmp_t:s0
/var/tmp                                           symbolic link      system_u:object_r:tmp_t:s0
/var/tmp/.*                                        all files          <<None>>
/var/tmp/binpkgs(/.*)?                             all files          system_u:object_r:portage_tmp_t:s0
/var/tmp/emerge-webrsync(/.*)?                     all files          system_u:object_r:portage_tmp_t:s0
/var/tmp/lost\+found                               directory          system_u:object_r:lost_found_t:s0
/var/tmp/lost\+found/.*                            all files          <<None>>
/var/tmp/portage(/.*)?                             all files          system_u:object_r:portage_tmp_t:s0
/var/tmp/portage-pkg(/.*)?                         all files          system_u:object_r:portage_tmp_t:s0
/var/tmp/systemd-private-[^/]+                     directory          system_u:object_r:tmp_t:s0
/var/tmp/systemd-private-[^/]+/tmp                 directory          system_u:object_r:tmp_t:s0
/var/tmp/systemd-private-[^/]+/tmp/.*              all files          <<None>>
/var/tmp/vi\.recover                               directory          system_u:object_r:tmp_t:s0

➤ sesearch --allow --source sysadm_t --class file --perm execute,execute_no_trans | grep tmp
allow sysadm_t portage_tmp_t:file { execute execute_no_trans getattr ioctl lock map open read };
allow sysadm_t user_tmp_t:file { append create execute execute_no_trans getattr ioctl link lock map open read rename setattr unlink write };

➤ bash ../create_policy.sh
"my_00001_permissive_dmesg-systemd_tmpfiles_t-self.te" has been created!

Please, check the file, create the policy module and install it:
make -f /usr/share/selinux/mcs/include/Makefile my_00001_permissive_dmesg-systemd_tmpfiles_t-self.pp
semodule -i my_00001_permissive_dmesg-systemd_tmpfiles_t-self.pp

➤ bash ../create_policy.sh
audit2allow printed a warning:


#============= systemd_tmpfiles_t ==============

#!!!! This avc can be allowed using the boolean 'systemd_tmpfiles_manage_all'
allow systemd_tmpfiles_t portage_cache_t:dir { getattr open read relabelfrom relabelto };

Aborting...

setsebool -P allow_mount_anyfile on
setsebool -P systemd_tmpfiles_manage_all on