diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list
index 7b23ff1f6fb..f97ab4bdc3e 100644
--- a/.github/workflows/portage-stable-packages-list
+++ b/.github/workflows/portage-stable-packages-list
@@ -295,6 +295,7 @@ eclass/python-single-r1.eclass
 eclass/python-utils-r1.eclass
 eclass/readme.gentoo-r1.eclass
 eclass/savedconfig.eclass
+eclass/selinux-policy-2.eclass
 eclass/strip-linguas.eclass
 eclass/systemd.eclass
 eclass/tmpfiles.eclass
@@ -363,8 +364,17 @@ profiles
 #
 # scripts
 
+sec-policy/selinux-base
+sec-policy/selinux-base-policy
+sec-policy/selinux-container
+sec-policy/selinux-dbus
+sec-policy/selinux-sssd
+sec-policy/selinux-unconfined
+
+
 sys-apps/acl
 sys-apps/attr
+sys-apps/checkpolicy
 sys-apps/config-site
 sys-apps/coreutils
 sys-apps/debianutils
@@ -400,6 +410,7 @@ sys-apps/portage
 sys-apps/pv
 sys-apps/sandbox
 sys-apps/sed
+sys-apps/semodule-utils
 sys-apps/smartmontools
 sys-apps/texinfo
 sys-apps/usbutils
@@ -454,6 +465,8 @@ sys-libs/libcap
 sys-libs/libcap-ng
 sys-libs/libnvme
 sys-libs/libseccomp
+sys-libs/libselinux
+sys-libs/libsepol
 sys-libs/ncurses
 sys-libs/readline
 sys-libs/talloc
diff --git a/changelog/updates/2023-06-21-selinux.md b/changelog/updates/2023-06-21-selinux.md
new file mode 100644
index 00000000000..bcf96a3db3d
--- /dev/null
+++ b/changelog/updates/2023-06-21-selinux.md
@@ -0,0 +1,11 @@
+- libselinux ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5))
+- libsepol ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5))
+- semodule-utils ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5))
+- policycoreutils ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5))
+- libsemanage ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5))
+- checkpolicy ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5))
+- selinux-base ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101))
+- selinux-base-policy ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101))
+- selinux-container ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101))
+- selinux-sssd ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101))
+- selinux-unconfined ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101))
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r308.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r309.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r308.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r309.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
index b391039ffa0..5313de0531c 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
@@ -144,9 +144,10 @@ RDEPEND="${RDEPEND}
 	net-misc/wget
 	net-misc/whois
 	net-vpn/wireguard-tools
-	sec-policy/selinux-virt
 	sec-policy/selinux-base
 	sec-policy/selinux-base-policy
+	sec-policy/selinux-container
+	sec-policy/selinux-dbus
 	sec-policy/selinux-unconfined
 	sys-apps/acl
 	sys-apps/attr
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux-config
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux-config
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0.ebuild
index a849c70caa8..b92882df678 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0.ebuild
@@ -64,6 +64,9 @@ src_install() {
         ['/usr/share/skel/.bash_logout']='/usr/share/flatcar/etc/skel/.bash_logout'
         ['/usr/share/skel/.bash_profile']='/usr/share/flatcar/etc/skel/.bash_profile'
         ['/usr/share/skel/.bashrc']='/usr/share/flatcar/etc/skel/.bashrc'
+        ['/usr/lib/selinux/config']='/usr/share/flatcar/etc/selinux/config'
+        ['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs'
+        ['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf'
     )
 
     local link target
@@ -76,6 +79,9 @@ src_install() {
         fi
     done
 
+    insinto '/etc/selinux/'
+    newins "${FILESDIR}/selinux-config" config
+
     insinto '/etc/bash/bashrc.d'
     doins "${FILESDIR}/99-flatcar-bcc"
 
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sec-policy/selinux-base b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sec-policy/selinux-base
new file mode 100644
index 00000000000..b94efbdd1d4
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sec-policy/selinux-base
@@ -0,0 +1,2 @@
+PKG_INSTALL_MASK+=" /etc/selinux/config"
+INSTALL_MASK+=" /etc/selinux/config"
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/init.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/init.patch
similarity index 79%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/init.patch
rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/init.patch
index e96500288e7..35b00b1b64f 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/init.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/init.patch
@@ -1,7 +1,7 @@
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
 index dbd39cf8f..563559ca7 100644
---- refpolicy/policy/modules/system/init.te
-+++ refpolicy/policy/modules/system/init.te
+--- a/refpolicy/policy/modules/system/init.te
++++ b/refpolicy/policy/modules/system/init.te
 @@ -1503,3 +1503,6 @@ optional_policy(`
  	userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
  	userdom_dontaudit_write_user_tmp_files(systemprocess)
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/locallogin.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/locallogin.patch
similarity index 86%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/locallogin.patch
rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/locallogin.patch
index 2e9ae7ce535..6b688e26fda 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/locallogin.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/locallogin.patch
@@ -1,9 +1,9 @@
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
 index 109980e79..d5c4a5d95 100644
---- refpolicy/policy/modules/system/locallogin.te
-+++ refpolicy/policy/modules/system/locallogin.te
+--- a/refpolicy/policy/modules/system/locallogin.te
++++ b/refpolicy/policy/modules/system/locallogin.te
 @@ -34,7 +34,7 @@ role system_r types sulogin_t;
- 
+
  allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
  dontaudit local_login_t self:capability net_admin;
 -allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/logging.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/logging.patch
similarity index 63%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/logging.patch
rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/logging.patch
index caa778d8ef9..7e760b6dbab 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/logging.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/logging.patch
@@ -1,18 +1,18 @@
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 7d713540d..d6cbc654d 100644
---- refpolicy/policy/modules/system/logging.te
-+++ refpolicy/policy/modules/system/logging.te
-@@ -516,11 +516,13 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
- userdom_dontaudit_search_user_home_dirs(syslogd_t)
+index abd61e6bd..fb5d69366 100644
+--- a/refpolicy/policy/modules/system/logging.te
++++ b/refpolicy/policy/modules/system/logging.te
+@@ -525,11 +525,13 @@ userdom_dontaudit_search_user_home_dirs(syslogd_t)
  
  ifdef(`init_systemd',`
-+	require { type kernel_t; }
  	# for systemd-journal
++	require { type kernel_t; }
+ 	allow syslogd_t self:capability audit_control;
  	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
  	allow syslogd_t self:capability2 audit_read;
  	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
  	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
-+	allow syslogd_t kernel_t:netlink_audit_socket getattr; 
++	allow syslogd_t kernel_t:netlink_audit_socket getattr;
  
  	# remove /run/log/journal when switching to permanent storage
  	allow syslogd_t var_log_t:dir rmdir;
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/ping.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/ping.patch
similarity index 77%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/ping.patch
rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/ping.patch
index e6a31f66309..ee99de5b771 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/ping.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/ping.patch
@@ -1,19 +1,19 @@
 diff -u -r refpolicy/policy/modules/admin/netutils.te refpolicy/policy/modules/admin/netutils.te
---- refpolicy/policy/modules/admin/netutils.te	2022-01-12 14:28:26.850809330 -0000
-+++ refpolicy/policy/modules/admin/netutils.te	2022-01-12 14:29:50.323880882 -0000
+--- a/refpolicy/policy/modules/admin/netutils.te	2022-01-12 14:28:26.850809330 -0000
++++ b/refpolicy/policy/modules/admin/netutils.te	2022-01-12 14:29:50.323880882 -0000
 @@ -117,6 +117,7 @@
  corenet_raw_sendrecv_generic_node(ping_t)
  corenet_tcp_sendrecv_generic_node(ping_t)
  corenet_raw_bind_generic_node(ping_t)
 +corenet_icmp_bind_generic_node(ping_t)
- 
+
  dev_read_urand(ping_t)
- 
+
 @@ -189,6 +190,7 @@
  corenet_tcp_connect_all_ports(traceroute_t)
  corenet_sendrecv_all_client_packets(traceroute_t)
  corenet_sendrecv_traceroute_server_packets(traceroute_t)
 +corenet_icmp_bind_generic_node(traceroute_t)
- 
+
  dev_read_rand(traceroute_t)
  dev_read_urand(traceroute_t)
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/0001-policy-modules-kernel-all-more-actions-for-kernel.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
new file mode 100644
index 00000000000..883720831e7
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
@@ -0,0 +1,16 @@
+diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
+index 56dbd5af5..b5cf0e3c0 100644
+--- a/refpolicy/policy/modules/kernel/kernel.te
++++ b/refpolicy/policy/modules/kernel/kernel.te
+@@ -363,6 +363,11 @@ files_list_home(kernel_t)
+ files_read_usr_files(kernel_t)
+ 
+ mcs_process_set_categories(kernel_t)
++mcs_killall(kernel_t)
++mcs_file_read_all(kernel_t)
++mcs_file_write_all(kernel_t)
++mcs_ptrace_all(kernel_t)
++allow kernel_t self:user_namespace create;
+ 
+ mls_process_read_all_levels(kernel_t)
+ mls_process_write_all_levels(kernel_t)
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/files-relabel.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/files-relabel.patch
new file mode 100644
index 00000000000..dd1090a7abe
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/files-relabel.patch
@@ -0,0 +1,44 @@
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 495cbe2f4..a5605f866 100644
+--- a/refpolicy/policy/modules/kernel/files.if
++++ b/refpolicy/policy/modules/kernel/files.if
+@@ -7892,3 +7892,39 @@ interface(`files_unconfined',`
+
+ 	typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++## <summary>
++##	Relabel all files on the filesystem, except
++##	policy_config_t and exceptions.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="exception_types" optional="true">
++##	<summary>
++##	The types to be excluded.  Each type or attribute
++##	must be negated by the caller.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_relabel_all_non_policy_files',`
++	gen_require(`
++		attribute file_type;
++		type policy_config_t;
++	')
++
++	allow $1 { file_type -policy_config_t $2 }:dir list_dir_perms;
++	relabel_dirs_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_lnk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_fifo_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_sock_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	# this is only relabelfrom since there should be no
++	# device nodes with file types.
++	relabelfrom_blk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabelfrom_chr_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++')
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/icmp-bind.patch
similarity index 75%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch
rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/icmp-bind.patch
index a2d653caf2c..1b4bb314673 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/icmp-bind.patch
@@ -1,8 +1,8 @@
 diff -u -r refpolicy/policy/modules/kernel/corenetwork.if.in refpolicy2/policy/modules/kernel/corenetwork.if.in
---- refpolicy/policy/modules/kernel/corenetwork.if.in	2022-01-12 16:59:47.572670384 -0000
-+++ refpolicy2/policy/modules/kernel/corenetwork.if.in	2022-01-12 17:01:54.974858982 -0000
+--- a/refpolicy/policy/modules/kernel/corenetwork.if.in	2022-01-12 16:59:47.572670384 -0000
++++ b/refpolicy2/policy/modules/kernel/corenetwork.if.in	2022-01-12 17:01:54.974858982 -0000
 @@ -879,6 +879,24 @@
- 
+
  ########################################
  ## <summary>
 +##	Bind ICMP sockets to generic nodes.
@@ -27,14 +27,14 @@ diff -u -r refpolicy/policy/modules/kernel/corenetwork.if.in refpolicy2/policy/m
  ## </summary>
  ## <desc>
 diff -u -r refpolicy/policy/modules/kernel/corenetwork.te.in refpolicy2/policy/modules/kernel/corenetwork.te.in
---- refpolicy/policy/modules/kernel/corenetwork.te.in	2022-01-12 16:59:47.573670362 -0000
-+++ refpolicy2/policy/modules/kernel/corenetwork.te.in	2022-01-12 17:03:12.754142616 -0000
+--- a/refpolicy/policy/modules/kernel/corenetwork.te.in	2022-01-12 16:59:47.573670362 -0000
++++ b/refpolicy2/policy/modules/kernel/corenetwork.te.in	2022-01-12 17:03:12.754142616 -0000
 @@ -373,7 +373,7 @@
- 
+
  # Bind to any network address.
  allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind;
 -allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
 +allow corenet_unconfined_type node_type:{ icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
- 
+
  # Infiniband
  corenet_ib_access_all_pkeys(corenet_unconfined_type)
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-container/container.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-container/container.patch
new file mode 100644
index 00000000000..809c81244ec
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-container/container.patch
@@ -0,0 +1,77 @@
+diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
+index 056aa6023..e4bcada03 100644
+--- a/refpolicy/policy/modules/services/container.fc
++++ b/refpolicy/policy/modules/services/container.fc
+@@ -113,3 +113,5 @@ HOME_DIR/\.docker(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
+ /var/log/kube-controller-manager(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+ /var/log/kube-proxy(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+ /var/log/kube-scheduler(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
++
++/usr/share/containerd(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
+index 5de421fc3..4a6c2760e 100644
+--- a/refpolicy/policy/modules/services/container.te
++++ b/refpolicy/policy/modules/services/container.te
+@@ -1007,3 +1007,62 @@ optional_policy(`
+        unconfined_domain_noaudit(spc_user_t)
+        domain_ptrace_all_domains(spc_user_t)
+ ')
++
++allow container_domain self:socket_class_set { accept ioctl read getattr lock write append getopt setopt };
++allow container_domain init_t:unix_stream_socket { accept ioctl read getattr lock write append getopt shutdown };
++
++# required for sharing /run for the etcd-wrapper
++files_mounton_runtime_dirs(container_engine_domain)
++
++# this is a hack while the system is not labelled. we need to authorize transition from kernel_t
++require {
++	type kernel_t;
++	type tmpfs_t;
++	type var_lib_t;
++	type unconfined_t;
++}
++allow kernel_t container_t:process transition;
++allow initrc_t container_t:process transition;
++allow kernel_t container_t:process2 nnp_transition;
++allow kernel_t unconfined_t:process transition;
++fs_manage_tmpfs_chr_files(container_t)
++fs_manage_tmpfs_dirs(container_t)
++fs_manage_tmpfs_files(container_t)
++fs_manage_tmpfs_sockets(container_t)
++fs_manage_tmpfs_symlinks(container_t)
++fs_remount_tmpfs(container_t)
++kernel_read_messages(container_t)
++kernel_sigchld(container_t)
++kernel_use_fds(container_t)
++allow container_t self:process getcap;
++files_read_var_lib_files(container_t)
++files_read_var_lib_symlinks(container_t)
++term_use_generic_ptys(container_t)
++term_setattr_generic_ptys(container_t)
++allow container_t tmpfs_t:chr_file { read write open };
++allow container_t container_file_t:chr_file { manage_file_perms };
++allow container_t self:capability sys_chroot;
++allow container_t self:process getpgid;
++allow container_t container_file_t:file { entrypoint mounton };
++allow container_t var_lib_t:file { entrypoint execute execute_no_trans };
++allow container_t kernel_t:fifo_file { getattr ioctl read write open append };
++allow container_t initrc_t:fifo_file { getattr ioctl read write open append };
++filetrans_pattern(kernel_t, etc_t, container_file_t, dir, "cni");
++
++# this is required by flanneld
++allow container_t kernel_t:system { module_request };
++
++# required by flanneld to write into /run/flannel/subnet.env
++filetrans_pattern(kernel_t, var_run_t, container_file_t, dir, "flannel");
++
++# required for cilium
++allow kernel_t spc_t:process transition;
++# required for cilium, can be upstreamed
++# Jun 20 08:01:43 localhost audit[3480]: AVC avc:  denied  { open } for  pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1
++# Jun 20 08:01:43 localhost audit[3480]: AVC avc:  denied  { kernel } for  pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1
++# Jun 20 08:01:43 localhost audit[3480]: AVC avc:  denied  { cpu } for  pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1
++# Jun 20 08:01:43 localhost audit[3480]: AVC avc:  denied  { read } for  pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1
++allow spc_t self:perf_event { open cpu kernel read };
++# required for using cilium cgroup v1
++allow kernel_t self:perf_event { open cpu kernel read };
++allow unconfined_t container_file_t:file { entrypoint };
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/Manifest b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/Manifest
deleted file mode 100644
index 531f9303e23..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/Manifest
+++ /dev/null
@@ -1,4 +0,0 @@
-DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3
-DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff
-DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7
-DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/sshd.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/sshd.patch
deleted file mode 100644
index 420139c3beb..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/sshd.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 60060c35c..8d9f5b7a6 100644
---- refpolicy/policy/modules/services/ssh.fc
-+++ refpolicy/policy/modules/services/ssh.fc
-@@ -6,7 +6,7 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
- /usr/bin/ssh			--	gen_context(system_u:object_r:ssh_exec_t,s0)
- /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
- /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
--/usr/bin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
-+/usr/bin/sshd			--	gen_context(system_u:object_r:unconfined_t,s0)
- 
- /usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
- /usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
-@@ -17,7 +17,7 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
- 
- /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
- 
--/usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
-+/usr/sbin/sshd			--	gen_context(system_u:object_r:unconfined_t,s0)
- 
- /run/sshd(/.*)?			gen_context(system_u:object_r:sshd_runtime_t,s0)
- /run/sshd\.init\.pid	--	gen_context(system_u:object_r:sshd_runtime_t,s0)
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/unlabeled.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/unlabeled.patch
deleted file mode 100644
index 972b954b2b4..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/unlabeled.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-index 7c60eda2c..736187b7a 100644
---- refpolicy/policy/modules/kernel/kernel.te
-+++ refpolicy/policy/modules/kernel/kernel.te
-@@ -191,6 +191,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
- type unlabeled_t;
- kernel_rootfs_mountpoint(unlabeled_t)
- fs_associate(unlabeled_t)
-+fs_associate_tmpfs(unlabeled_t)
- sid file gen_context(system_u:object_r:unlabeled_t,s0)
- sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
- neverallow * unlabeled_t:file entrypoint;
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest
deleted file mode 100644
index 531f9303e23..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest
+++ /dev/null
@@ -1,4 +0,0 @@
-DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3
-DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff
-DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7
-DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
deleted file mode 100644
index cf6406da73a..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 607ff9b67848aafd1bdefa6eda7ade0fd7161d04 Mon Sep 17 00:00:00 2001
-From: Mathieu Tortuyaux <mathieu@kinvolk.io>
-Date: Fri, 4 Jun 2021 13:17:44 +0200
-Subject: [PATCH] policy/modules/kernel: all more actions for kernel
-
-Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
----
- policy/modules/kernel/kernel.te | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
---- refpolicy/policy/modules/kernel/kernel.te
-+++ refpolicy/policy/modules/kernel/kernel.te
-@@ -351,6 +351,10 @@ files_list_home(kernel_t)
- files_read_usr_files(kernel_t)
- 
- mcs_process_set_categories(kernel_t)
-+mcs_killall(kernel_t)
-+mcs_file_read_all(kernel_t)
-+mcs_file_write_all(kernel_t)
-+mcs_ptrace_all(kernel_t)
- 
- mls_process_read_all_levels(kernel_t)
- mls_process_write_all_levels(kernel_t)
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch
deleted file mode 100644
index 5cce12771a1..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- refpolicy/policy/mcs
-+++ refpolicy/policy/mcs
-@@ -1,4 +1,6 @@
- ifdef(`enable_mcs',`
-+
-+default_range dir_file_class_set target low-high;
- #
- # Define sensitivities
- #
-@@ -99,14 +101,14 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
- # New filesystem object labels must be dominated by the relabeling subject
- # clearance, also the objects are single-level.
- mlsconstrain file { create relabelto }
--	(( h1 dom h2 ) and ( l2 eq h2 ));
-+	((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall));
- 
- # new file labels must be dominated by the relabeling subject clearance
- mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
--	( h1 dom h2 );
-+	(( h1 dom h2 ) or (t1 == mcswriteall));
- 
- mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
--	(( h1 dom h2 ) and ( l2 eq h2 ));
-+	((( h1 dom h2 ) and ( l2 eq h2 ) or (t1 == mcswriteall)));
- 
- mlsconstrain process { transition dyntransition }
- 	(( h1 dom h2 ) or ( t1 == mcssetcats ));
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
deleted file mode 100644
index b9ce5121186..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts
+++ /dev/null
@@ -1,10 +0,0 @@
-# This file is used to configure the per-instance contexts of rkt and other
-# applications that use libvirt for lxc container support.
-#
-# See:
-#    https://coreos.com/rkt/docs/latest/selinux.html
-#    https://selinuxproject.org/page/PolicyConfigurationFiles#contexts.2Flxc_contexts_File
-
-process = "system_u:system_r:svirt_lxc_net_t:s0"
-content = "system_u:object_r:virt_var_lib_t:s0"
-file = "system_u:object_r:svirt_lxc_file_t:s0"
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf
deleted file mode 100644
index a123a51d150..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-#Type	Path			Mode	UID 	GID 	Age	Argument
-d	/etc/selinux/		-	-	-	-	-
-L	/etc/selinux/config	-	-	-	-	../../usr/lib/selinux/config
-L	/etc/selinux/mcs	-	-	-	-	../../usr/lib/selinux/mcs
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/Manifest b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/Manifest
deleted file mode 100644
index 531f9303e23..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/Manifest
+++ /dev/null
@@ -1,4 +0,0 @@
-DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3
-DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff
-DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7
-DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch
deleted file mode 100644
index 74b5062ef8d..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-index 4943ad79d..8b0ed779e 100644
---- services/virt.te
-+++ services/virt.te
-@@ -1377,3 +1377,41 @@ sysnet_dns_name_resolve(virtlogd_t)
- 
- virt_manage_log(virtlogd_t)
- virt_read_config(virtlogd_t)
-+
-+require {
-+	type kernel_t;
-+	type tmpfs_t;
-+	type var_lib_t;
-+}
-+allow kernel_t svirt_lxc_net_t:process transition;
-+allow initrc_t svirt_lxc_net_t:process transition;
-+allow kernel_t svirt_lxc_net_t:process2 nnp_transition;
-+fs_manage_tmpfs_chr_files(svirt_lxc_net_t)
-+fs_manage_tmpfs_dirs(svirt_lxc_net_t)
-+fs_manage_tmpfs_files(svirt_lxc_net_t)
-+fs_manage_tmpfs_sockets(svirt_lxc_net_t)
-+fs_manage_tmpfs_symlinks(svirt_lxc_net_t)
-+fs_remount_tmpfs(svirt_lxc_net_t)
-+kernel_read_messages(svirt_lxc_net_t)
-+kernel_sigchld(svirt_lxc_net_t)
-+kernel_use_fds(svirt_lxc_net_t)
-+allow svirt_lxc_net_t self:process getcap;
-+files_read_var_lib_files(svirt_lxc_net_t)
-+files_read_var_lib_symlinks(svirt_lxc_net_t)
-+term_use_generic_ptys(svirt_lxc_net_t)
-+term_setattr_generic_ptys(svirt_lxc_net_t)
-+allow svirt_lxc_net_t tmpfs_t:chr_file { read write open };
-+allow svirt_lxc_net_t svirt_lxc_file_t:chr_file { manage_file_perms };
-+allow svirt_lxc_net_t self:capability sys_chroot;
-+allow svirt_lxc_net_t self:process getpgid;
-+allow svirt_lxc_net_t svirt_lxc_file_t:file { entrypoint mounton };
-+allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans };
-+allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open append };
-+allow svirt_lxc_net_t initrc_t:fifo_file { getattr ioctl read write open append };
-+filetrans_pattern(kernel_t, etc_t, svirt_lxc_file_t, dir, "cni");
-+
-+# this is required by flanneld
-+allow svirt_lxc_net_t kernel_t:system { module_request };
-+
-+# required by flanneld to write into /run/flannel/subnet.env
-+filetrans_pattern(kernel_t, var_run_t, svirt_lxc_file_t, dir, "flannel");
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20200818-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20200818-r2.ebuild
deleted file mode 100644
index 64e118aaf99..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20200818-r2.ebuild
+++ /dev/null
@@ -1,18 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-IUSE=""
-MODS="virt"
-
-inherit selinux-policy-2
-
-DESCRIPTION="SELinux policy for virt"
-
-# flatcar changes
-POLICY_PATCH="${FILESDIR}/virt.patch"
-
-if [[ ${PV} != 9999* ]] ; then
-	KEYWORDS="amd64 -arm ~arm64 ~mips x86"
-fi
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/Manifest
deleted file mode 100644
index 9e0b7673d5f..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/Manifest
+++ /dev/null
@@ -1,2 +0,0 @@
-DIST checkpolicy-3.1.tar.gz 69072 BLAKE2B 31cb5ef52533b0a62f954e770278fc5766a961d87fb86260b04abe562bcd90d0025b33931c6ad54096c64ab54150c7562c112eac80eb2f60dbcdda57f4cacfe2 SHA512 2276a5a0919286049d2ceba386ef5f6de523745b588bb81cb4fed5eced5fd0b8070249b7a3ae5a85e2abb9369a86318f727d4073aad14ab75c43750a46069168
-DIST checkpolicy-3.2.tar.gz 69035 BLAKE2B 263c582c8ed3c38822513899f3591edfc5d0132977451503a8b45d2074b5a1c5ce03973353b3ceaad44da913b4e35546cfef1988b68bd517618efdb942f994ec SHA512 133639595c2acc66c02b5a637c5e0c60d80ce2bae04f4a709d9fafabd31f9497d1a6e3334904b985c2a1bd94a7a7e3df782c2af2ae41d1fd79b69156a835edeb
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-3.1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-3.1.ebuild
deleted file mode 100644
index 31985d221c9..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-3.1.ebuild
+++ /dev/null
@@ -1,65 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-inherit toolchain-funcs
-
-MY_P="${P//_/-}"
-MY_RELEASEDATE="20200710"
-
-SEPOL_VER="${PV}"
-SEMNG_VER="${PV}"
-
-DESCRIPTION="SELinux policy compiler"
-HOMEPAGE="http://userspace.selinuxproject.org"
-
-if [[ ${PV} == 9999 ]] ; then
-	inherit git-r3
-	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
-	S="${WORKDIR}/${MY_P}/${PN}"
-else
-	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_RELEASEDATE}/${MY_P}.tar.gz"
-	KEYWORDS="amd64 ~arm ~arm64 ~mips x86"
-	S="${WORKDIR}/${MY_P}"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-IUSE="debug"
-
-DEPEND=">=sys-libs/libsepol-${SEPOL_VER}"
-BDEPEND="sys-devel/flex
-	sys-devel/bison"
-
-RDEPEND=">=sys-libs/libsepol-${SEPOL_VER}"
-
-src_compile() {
-	# flatcar changes
-	emake \
-		CC="$(tc-getCC)" \
-		YACC="bison -y" \
-		PREFIX="/usr" \
-		LIBDIR="${ROOT:-/}\$(PREFIX)/$(get_libdir)" \
-		INCLUDEDIR="${ROOT}\$(PREFIX)/include"
-}
-
-src_install() {
-	# flatcar changes
-	# we remove the `default` behavior to override
-	# the LIBSEPOLA variable in order to fix cross compile
-	emake DESTDIR="${D}" \
-		LIBSEPOLA="${ROOT:-/}/usr/$(get_libdir)/libsepol.a" \
-		install
-
-	if use debug; then
-		dobin "${S}/test/dismod"
-		dobin "${S}/test/dispol"
-	fi
-}
-
-pkg_postinst() {
-	if ! tc-is-cross-compiler; then
-		einfo "This checkpolicy can compile version `checkpolicy -V | cut -f 1 -d ' '` policy."
-	fi
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest
index c58464335d7..cfc08315c27 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest
@@ -1,3 +1,2 @@
-DIST policycoreutils-3.1.tar.gz 2817914 BLAKE2B ef68bb5f9cf577164ead44803b6be2bd6401c9e923d2c775c7c8c47f0e803749feaec4247fec5cc1cb766314954402fd2506370bb397f746437ecfcf65b384f3 SHA512 0592f218563a99ba95d2cfd07fdc3761b61c1cc3c01a17ab89ad840169e1a7d4083521d5cacc72d1b76911d516bf592db7a3f90d9ef0cc11ceed007e4580e140
+DIST policycoreutils-3.5.tar.gz 775639 BLAKE2B 777b8564484e89385db7a184c4cad9a99aabf1fd1ac41abd5826c7e6ad29118ae9d6f0d0fd968b6ced87f2f04bc6d7cd207b67428151522915367f656fb8d3f8 SHA512 7978ef6b7a278c6384c9b397734d03c4932c8aefecceaa1e6a1345be27b253dbe276fdcd219ce83ad732c6ed55d53bbc3254e39bccadd67d2cd1152a14749444
 DIST policycoreutils-extra-1.37.tar.bz2 8809 BLAKE2B a7f6122c2e27f54b018174e962bd7f4c14af04e09bbb5300bde6967ea7f2dc5cd03b5787919a4e7f5288bcbc6747922962b5bd3b588ab1e3a035fbff4910d8f5 SHA512 0a85cd7cf279256b5e1927f9dfdd89626a1c8b77b0aeb62b496e7e8d1dccbaa315e39f9308fb2df7270f0bc1c10787b19990e7365cad74b47b61e30394c8b23f
-DIST policycoreutils-3.2.tar.gz 2817961 BLAKE2B 747cbd7b84ffa9153067340f8f1dc5a652eaf85b037a6e10e116d3d0b31c8e7c9794bc6a46ae212848bef4887478ac167e359a387bebac49e0acd08b727808ce SHA512 d16781d2d61b8b78d6fc242f2b5c3a03f47ea524fb61655823b6b0f0327ff376c65fe7bdf7a53f5863c01e599cf4a7050f21fda0fe6a8f2c2c16f89b156a4346
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/10-var-lib-selinux.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/10-var-lib-selinux.conf
new file mode 100644
index 00000000000..f763cf3e45f
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/10-var-lib-selinux.conf
@@ -0,0 +1,2 @@
+#Type	Path			Mode	UID 	GID 	Age	Argument
+L	/var/lib/selinux/	-	-	-	-	../../usr/lib/selinux/policy
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/metadata.xml
index 16effc34b8e..4d3c72d81d4 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>selinux@gentoo.org</email>
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r4.ebuild
deleted file mode 100644
index 9b71258245a..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r4.ebuild
+++ /dev/null
@@ -1,224 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-PYTHON_COMPAT=( python3_{6..11} )
-PYTHON_REQ_USE="xml(+)"
-
-inherit multilib python-r1 toolchain-funcs bash-completion-r1
-
-MY_P="${P//_/-}"
-
-MY_RELEASEDATE="20200710"
-EXTRAS_VER="1.37"
-SEMNG_VER="${PV}"
-SELNX_VER="${PV}"
-SEPOL_VER="${PV}"
-
-# flatcar changes: nls, extra
-IUSE="audit extra nls pam python split-usr"
-REQUIRED_USE="${PYTHON_REQUIRED_USE}"
-
-DESCRIPTION="SELinux core utilities"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
-
-if [[ ${PV} == 9999 ]]; then
-	inherit git-r3
-	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
-	SRC_URI="https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2"
-	S1="${WORKDIR}/${MY_P}/${PN}"
-	S2="${WORKDIR}/policycoreutils-extra"
-	S="${S1}"
-else
-	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_RELEASEDATE}/${MY_P}.tar.gz
-		https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2"
-	KEYWORDS="amd64 ~arm64 ~mips x86"
-	S1="${WORKDIR}/${MY_P}"
-	S2="${WORKDIR}/policycoreutils-extra"
-	S="${S1}"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-
-# flatcar changes: remove setools. Since 4.x setools is written in python
-# so it's not shipped anymore with Flatcar OS
-DEPEND=">=sys-libs/libselinux-${SELNX_VER}:=[python?,${PYTHON_USEDEP}]
-	>=sys-libs/libsemanage-${SEMNG_VER}:=[python?,${PYTHON_USEDEP}]
-	>=sys-libs/libsepol-${SEPOL_VER}:=
-	sys-libs/libcap-ng:=
-	audit? ( >=sys-process/audit-1.5.1[python?,${PYTHON_USEDEP}] )
-	pam? ( sys-libs/pam:= )
-	python? ( ${PYTHON_DEPS} )"
-
-# Avoid dependency loop in the cross-compile case, bug #755173
-# (Still exists in native)
-BDEPEND="sys-devel/gettext"
-
-# pax-utils for scanelf used by rlpkg
-RDEPEND="${DEPEND}
-	app-misc/pax-utils"
-
-PDEPEND="sys-apps/semodule-utils
-	python? ( sys-apps/selinux-python )"
-
-src_unpack() {
-	# Override default one because we need the SRC_URI ones even in case of 9999 ebuilds
-	default
-	if [[ ${PV} == 9999 ]] ; then
-		git-r3_src_unpack
-	fi
-}
-
-src_prepare() {
-	S="${S1}"
-	cd "${S}" || die "Failed to switch to ${S}"
-	if [[ ${PV} != 9999 ]] ; then
-		# If needed for live ebuilds please use /etc/portage/patches
-		eapply "${FILESDIR}/policycoreutils-3.1-0001-newrole-not-suid.patch"
-	fi
-
-	# rlpkg is more useful than fixfiles
-	sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \
-		|| die "fixfiles sed 1 failed"
-	sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \
-		|| die "fixfiles sed 2 failed"
-
-	eapply_user
-
-	sed -i 's/-Werror//g' "${S1}"/*/Makefile || die "Failed to remove Werror"
-
-	# flatcar changes
-	if use python; then
-		python_copy_sources
-		# Our extra code is outside the regular directory, so set it to the extra
-		# directory. We really should optimize this as it is ugly, but the extra
-		# code is needed for Gentoo at the same time that policycoreutils is present
-		# (so we cannot use an additional package for now).
-		if use extra ; then
-			S="${S2}"
-			python_copy_sources
-		fi
-	fi
-
-	# flatcar changes
-	# Skip building unneeded parts.
-	if ! use python ; then
-		for dir in audit2allow gui scripts semanage sepolicy sepolgen-ifgen; do
-			sed -e "s/ $dir / /" -i Makefile || die
-		done
-	fi
-	use nls || sed -e "s/ po / /" -i Makefile || die
-}
-
-src_compile() {
-	building() {
-		emake -C "${BUILD_DIR}" \
-			AUDIT_LOG_PRIVS="y" \
-			AUDITH="$(usex audit y n)" \
-			PAMH="$(usex pam y n)" \
-			SESANDBOX="n" \
-			CC="$(tc-getCC)" \
-			LIBDIR="\$(PREFIX)/$(get_libdir)"
-	}
-
-	# flatcar changes
-	if use python; then
-		S="${S1}" # Regular policycoreutils
-		python_foreach_impl building
-		if use extra ; then
-			S="${S2}" # Extra set
-			python_foreach_impl building
-		fi
-	else
-		BUILD_DIR="${S1}"
-		building
-		if use extra ; then
-			BUILD_DIR="${S2}"
-			building
-		fi
-	fi
-}
-
-src_install() {
-	# Python scripts are present in many places. There are no extension modules.
-	installation-policycoreutils() {
-		einfo "Installing policycoreutils"
-		emake -C "${BUILD_DIR}" DESTDIR="${D}" \
-			AUDIT_LOG_PRIVS="y" \
-			AUDITH="$(usex audit y n)" \
-			PAMH="$(usex pam y n)" \
-			SESANDBOX="n" \
-			CC="$(tc-getCC)" \
-			LIBDIR="\$(PREFIX)/$(get_libdir)" \
-			install
-		# flatcar changes
-		if use python; then
-			python_optimize
-		fi
-	}
-
-	installation-extras() {
-		einfo "Installing policycoreutils-extra"
-		emake -C "${BUILD_DIR}" \
-			DESTDIR="${D}" \
-			SHLIBDIR="${D}$(get_libdir)/rc" \
-			install
-		# flatcar changes
-		if use python; then
-			python_optimize
-		fi
-	}
-
-	# flatcar changes
-	if use python; then
-		S="${S1}" # policycoreutils
-		python_foreach_impl installation-policycoreutils
-		if use extra ; then
-			S="${S2}"
-			installation-extras
-			S="${S1}" # back for later
-		fi
-	else
-		BUILD_DIR="${S1}"
-		installation-policycoreutils
-		if use extra ; then
-			BUILD_DIR="${S2}"
-			installation-extras
-		fi
-	fi
-
-	# remove redhat-style init script
-	rm -fR "${D}/etc/rc.d" || die
-
-	# compatibility symlinks
-	use split-usr && dosym ../../sbin/setfiles /usr/sbin/setfiles
-
-	bashcomp_alias setsebool getsebool
-
-	# location for policy definitions
-	# flatcar changes:
-	dodir /usr/lib/selinux/policy
-	dosym ../../usr/lib/selinux/policy /var/lib/selinux
-	keepdir /usr/lib/selinux/policy
-
-	# Set version-specific scripts
-	# flatcar changes
-	if use python; then
-		# Set version-specific scripts
-		for pyscript in audit2allow sepolgen-ifgen sepolicy chcat; do
-			python_replicate_script "${ED}/usr/bin/${pyscript}"
-		done
-		python_replicate_script "${ED}/usr/sbin/semanage"
-		use extra && python_replicate_script "${ED}/usr/sbin/rlpkg"
-	fi
-}
-
-pkg_postinst() {
-	for POLICY_TYPE in ${POLICY_TYPES} ; do
-		# There have been some changes to the policy store, rebuilding now.
-		# https://marc.info/?l=selinux&m=143757277819717&w=2
-		einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)."
-		semodule -p "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
-	done
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.2-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.2-r1.ebuild
deleted file mode 100644
index 8ef2854fbbd..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.2-r1.ebuild
+++ /dev/null
@@ -1,162 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-PYTHON_COMPAT=( python3_{6..10} )
-PYTHON_REQ_USE="xml"
-
-inherit multilib python-r1 toolchain-funcs bash-completion-r1
-
-EXTRAS_VER="1.37"
-
-IUSE="audit pam split-usr"
-REQUIRED_USE="${PYTHON_REQUIRED_USE}"
-
-DESCRIPTION="SELinux core utilities"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
-
-if [[ ${PV} == 9999 ]]; then
-	inherit git-r3
-	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
-	SRC_URI="https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2"
-	S1="${WORKDIR}/${PN}"
-	S2="${WORKDIR}/policycoreutils-extra"
-	S="${S1}"
-else
-	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${PV}/${P}.tar.gz
-		https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2"
-	KEYWORDS="~amd64 ~arm64 ~mips ~x86"
-	S1="${WORKDIR}/${P}"
-	S2="${WORKDIR}/policycoreutils-extra"
-	S="${S1}"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-
-DEPEND=">=sys-libs/libselinux-${PV}:=[python,${PYTHON_USEDEP}]
-	>=sys-libs/libsemanage-${PV}:=[python(+),${PYTHON_USEDEP}]
-	>=sys-libs/libsepol-${PV}:=
-	sys-libs/libcap-ng:=
-	>=app-admin/setools-4.2.0[${PYTHON_USEDEP}]
-	audit? ( >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}] )
-	pam? ( sys-libs/pam:= )
-	${PYTHON_DEPS}"
-
-# Avoid dependency loop in the cross-compile case, bug #755173
-# (Still exists in native)
-BDEPEND="sys-devel/gettext"
-
-# pax-utils for scanelf used by rlpkg
-RDEPEND="${DEPEND}
-	app-misc/pax-utils"
-
-PDEPEND="sys-apps/semodule-utils
-	sys-apps/selinux-python"
-
-src_unpack() {
-	# Override default one because we need the SRC_URI ones even in case of 9999 ebuilds
-	default
-	if [[ ${PV} == 9999 ]] ; then
-		git-r3_src_unpack
-	fi
-}
-
-src_prepare() {
-	S="${S1}"
-	cd "${S}" || die "Failed to switch to ${S}"
-	if [[ ${PV} != 9999 ]] ; then
-		# If needed for live ebuilds please use /etc/portage/patches
-		eapply "${FILESDIR}/policycoreutils-3.1-0001-newrole-not-suid.patch"
-	fi
-
-	# rlpkg is more useful than fixfiles
-	sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \
-		|| die "fixfiles sed 1 failed"
-	sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \
-		|| die "fixfiles sed 2 failed"
-
-	eapply_user
-
-	sed -i 's/-Werror//g' "${S1}"/*/Makefile || die "Failed to remove Werror"
-
-	python_copy_sources
-	# Our extra code is outside the regular directory, so set it to the extra
-	# directory. We really should optimize this as it is ugly, but the extra
-	# code is needed for Gentoo at the same time that policycoreutils is present
-	# (so we cannot use an additional package for now).
-	S="${S2}"
-	python_copy_sources
-}
-
-src_compile() {
-	building() {
-		emake -C "${BUILD_DIR}" \
-			AUDIT_LOG_PRIVS="y" \
-			AUDITH="$(usex audit y n)" \
-			PAMH="$(usex pam y n)" \
-			SESANDBOX="n" \
-			CC="$(tc-getCC)" \
-			LIBDIR="\$(PREFIX)/$(get_libdir)"
-	}
-	S="${S1}" # Regular policycoreutils
-	python_foreach_impl building
-	S="${S2}" # Extra set
-	python_foreach_impl building
-}
-
-src_install() {
-	# Python scripts are present in many places. There are no extension modules.
-	installation-policycoreutils() {
-		einfo "Installing policycoreutils"
-		emake -C "${BUILD_DIR}" DESTDIR="${D}" \
-			AUDIT_LOG_PRIVS="y" \
-			AUDITH="$(usex audit y n)" \
-			PAMH="$(usex pam y n)" \
-			SESANDBOX="n" \
-			CC="$(tc-getCC)" \
-			LIBDIR="\$(PREFIX)/$(get_libdir)" \
-			install
-		python_optimize
-	}
-
-	installation-extras() {
-		einfo "Installing policycoreutils-extra"
-		emake -C "${BUILD_DIR}" \
-			DESTDIR="${D}" \
-			install
-		python_optimize
-	}
-
-	S="${S1}" # policycoreutils
-	python_foreach_impl installation-policycoreutils
-	S="${S2}" # extras
-	python_foreach_impl installation-extras
-	S="${S1}" # back for later
-
-	# remove redhat-style init script
-	rm -fR "${D}/etc/rc.d" || die
-
-	# compatibility symlinks
-	use split-usr && dosym ../../sbin/setfiles /usr/sbin/setfiles
-
-	bashcomp_alias setsebool getsebool
-
-	# location for policy definitions
-	dodir /var/lib/selinux
-	keepdir /var/lib/selinux
-
-	# Set version-specific scripts
-	for pyscript in rlpkg; do
-	  python_replicate_script "${ED}/usr/sbin/${pyscript}"
-	done
-}
-
-pkg_postinst() {
-	for POLICY_TYPE in ${POLICY_TYPES} ; do
-		# There have been some changes to the policy store, rebuilding now.
-		# https://marc.info/?l=selinux&m=143757277819717&w=2
-		einfo "Rebuilding store ${POLICY_TYPE} (without re-loading)."
-		semodule -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
-	done
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild
similarity index 63%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-9999.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild
index 8ef2854fbbd..202a8942575 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild
@@ -1,17 +1,17 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
-PYTHON_COMPAT=( python3_{6..10} )
-PYTHON_REQ_USE="xml"
+PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_REQ_USE="xml(+)"
 
-inherit multilib python-r1 toolchain-funcs bash-completion-r1
+TMPFILES_OPTIONAL=1
+inherit multilib python-r1 toolchain-funcs bash-completion-r1 tmpfiles
 
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
 EXTRAS_VER="1.37"
 
-IUSE="audit pam split-usr"
-REQUIRED_USE="${PYTHON_REQUIRED_USE}"
-
 DESCRIPTION="SELinux core utilities"
 HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
 
@@ -19,29 +19,29 @@ if [[ ${PV} == 9999 ]]; then
 	inherit git-r3
 	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
 	SRC_URI="https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2"
-	S1="${WORKDIR}/${PN}"
+	S1="${WORKDIR}/${P}/${PN}"
 	S2="${WORKDIR}/policycoreutils-extra"
 	S="${S1}"
 else
-	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${PV}/${P}.tar.gz
+	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz
 		https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2"
-	KEYWORDS="~amd64 ~arm64 ~mips ~x86"
-	S1="${WORKDIR}/${P}"
+	KEYWORDS="amd64 arm arm64 ~mips x86"
+	S1="${WORKDIR}/${MY_P}"
 	S2="${WORKDIR}/policycoreutils-extra"
 	S="${S1}"
 fi
 
 LICENSE="GPL-2"
 SLOT="0"
+IUSE="audit pam split-usr"
+REQUIRED_USE="${PYTHON_REQUIRED_USE}"
 
-DEPEND=">=sys-libs/libselinux-${PV}:=[python,${PYTHON_USEDEP}]
-	>=sys-libs/libsemanage-${PV}:=[python(+),${PYTHON_USEDEP}]
+DEPEND=">=sys-libs/libselinux-${PV}:=
+	>=sys-libs/libsemanage-${PV}:=
 	>=sys-libs/libsepol-${PV}:=
 	sys-libs/libcap-ng:=
-	>=app-admin/setools-4.2.0[${PYTHON_USEDEP}]
 	audit? ( >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}] )
-	pam? ( sys-libs/pam:= )
-	${PYTHON_DEPS}"
+	pam? ( sys-libs/pam:= )"
 
 # Avoid dependency loop in the cross-compile case, bug #755173
 # (Still exists in native)
@@ -51,8 +51,7 @@ BDEPEND="sys-devel/gettext"
 RDEPEND="${DEPEND}
 	app-misc/pax-utils"
 
-PDEPEND="sys-apps/semodule-utils
-	sys-apps/selinux-python"
+PDEPEND="sys-apps/semodule-utils"
 
 src_unpack() {
 	# Override default one because we need the SRC_URI ones even in case of 9999 ebuilds
@@ -79,14 +78,6 @@ src_prepare() {
 	eapply_user
 
 	sed -i 's/-Werror//g' "${S1}"/*/Makefile || die "Failed to remove Werror"
-
-	python_copy_sources
-	# Our extra code is outside the regular directory, so set it to the extra
-	# directory. We really should optimize this as it is ugly, but the extra
-	# code is needed for Gentoo at the same time that policycoreutils is present
-	# (so we cannot use an additional package for now).
-	S="${S2}"
-	python_copy_sources
 }
 
 src_compile() {
@@ -99,10 +90,8 @@ src_compile() {
 			CC="$(tc-getCC)" \
 			LIBDIR="\$(PREFIX)/$(get_libdir)"
 	}
-	S="${S1}" # Regular policycoreutils
-	python_foreach_impl building
-	S="${S2}" # Extra set
-	python_foreach_impl building
+	BUILD_DIR="${S1}"
+	building
 }
 
 src_install() {
@@ -117,7 +106,6 @@ src_install() {
 			CC="$(tc-getCC)" \
 			LIBDIR="\$(PREFIX)/$(get_libdir)" \
 			install
-		python_optimize
 	}
 
 	installation-extras() {
@@ -125,38 +113,38 @@ src_install() {
 		emake -C "${BUILD_DIR}" \
 			DESTDIR="${D}" \
 			install
-		python_optimize
 	}
 
-	S="${S1}" # policycoreutils
-	python_foreach_impl installation-policycoreutils
-	S="${S2}" # extras
-	python_foreach_impl installation-extras
-	S="${S1}" # back for later
+	BUILD_DIR="${S1}"
+	installation-policycoreutils
+
 
 	# remove redhat-style init script
 	rm -fR "${D}/etc/rc.d" || die
 
 	# compatibility symlinks
-	use split-usr && dosym ../../sbin/setfiles /usr/sbin/setfiles
+	if use split-usr; then
+		dosym ../../sbin/setfiles /usr/sbin/setfiles
+	else
+		# remove sestatus symlink
+		rm -f "${D}"/usr/sbin/sestatus || die
+	fi
 
 	bashcomp_alias setsebool getsebool
 
-	# location for policy definitions
-	dodir /var/lib/selinux
-	keepdir /var/lib/selinux
+	dodir /usr/lib/selinux/policy
+	dosym ../../usr/lib/selinux/policy /var/lib/selinux
+	keepdir /usr/lib/selinux/policy
 
-	# Set version-specific scripts
-	for pyscript in rlpkg; do
-	  python_replicate_script "${ED}/usr/sbin/${pyscript}"
-	done
+	# Recreate the symlink in /var in case of wiping the root filesystem.
+	dotmpfiles "${FILESDIR}/tmpfiles.d/10-var-lib-selinux.conf"
 }
 
 pkg_postinst() {
 	for POLICY_TYPE in ${POLICY_TYPES} ; do
 		# There have been some changes to the policy store, rebuilding now.
 		# https://marc.info/?l=selinux&m=143757277819717&w=2
-		einfo "Rebuilding store ${POLICY_TYPE} (without re-loading)."
-		semodule -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
+		einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)."
+		semodule -p "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}"
 	done
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/Manifest
deleted file mode 100644
index 3ba4acc00b6..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/Manifest
+++ /dev/null
@@ -1,2 +0,0 @@
-DIST libselinux-3.1.tar.gz 204703 BLAKE2B 72ff2d99dd6640405e804f58bdfbf05e152615ea92f902b3942602af13dc17080afeabb942ed33ae6b3f528870f4b11584e533848e455a97bf8f7151a8d44646 SHA512 57730cddd2d4751556d9e1f207c0f85119c81848f0620c16239e997150989e3f9a586a8c23861fd51ed89f7e084ad441190a58a288258a49a95f7beef7dbbb13
-DIST libselinux-3.2.tar.gz 206380 BLAKE2B 544eaaa87b9738c61929abe48713b530a8909eaea017890040f2fe299af86f09b6eb2cf4c9a68e06268ba09923b2b67703ac7a2b973906acb45f698e9ccaeed2 SHA512 18129ac0b9936e1f66021f1b311cf1c1e27a01e50cb70f08a3e1c642c5251e4538aec25a8427778569dfecf5333cf1fb84f1a59afdce8019328d0cff7e5833c5
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-3.1-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-3.1-r3.ebuild
deleted file mode 100644
index 94c25dfda6a..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-3.1-r3.ebuild
+++ /dev/null
@@ -1,159 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-PYTHON_COMPAT=( python3_{6..11} )
-USE_RUBY="ruby25 ruby26 ruby27"
-
-# No, I am not calling ruby-ng
-inherit python-r1 toolchain-funcs multilib-minimal
-
-MY_P="${P//_/-}"
-SEPOL_VER="${PV}"
-MY_RELEASEDATE="20200710"
-
-DESCRIPTION="SELinux userland library"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
-
-if [[ ${PV} == 9999 ]] ; then
-	inherit git-r3
-	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
-	S="${WORKDIR}/${MY_P}/${PN}"
-else
-	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_RELEASEDATE}/${MY_P}.tar.gz"
-	KEYWORDS="amd64 ~arm ~arm64 ~mips x86"
-	S="${WORKDIR}/${MY_P}"
-fi
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="pcre2 python ruby static-libs ruby_targets_ruby25 ruby_targets_ruby26 ruby_targets_ruby27"
-REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
-
-RDEPEND=">=sys-libs/libsepol-${SEPOL_VER}:=[${MULTILIB_USEDEP}]
-	!pcre2? ( >=dev-libs/libpcre-8.33-r1:=[static-libs?,${MULTILIB_USEDEP}] )
-	pcre2? ( dev-libs/libpcre2:=[static-libs?,${MULTILIB_USEDEP}] )
-	python? ( ${PYTHON_DEPS} )
-	ruby? (
-		ruby_targets_ruby25? ( dev-lang/ruby:2.5 )
-		ruby_targets_ruby26? ( dev-lang/ruby:2.6 )
-		ruby_targets_ruby27? ( dev-lang/ruby:2.7 )
-	)
-	elibc_musl? ( sys-libs/fts-standalone )"
-DEPEND="${RDEPEND}"
-BDEPEND="virtual/pkgconfig
-	python? ( >=dev-lang/swig-2.0.9 )
-	ruby? ( >=dev-lang/swig-2.0.9 )"
-
-src_prepare() {
-	eapply_user
-
-	multilib_copy_sources
-}
-
-multilib_src_compile() {
-	tc-export AR CC PKG_CONFIG RANLIB
-
-	emake \
-		LIBDIR="\$(PREFIX)/$(get_libdir)" \
-		SHLIBDIR="/$(get_libdir)" \
-		LDFLAGS="-fPIC ${LDFLAGS} -pthread" \
-		USE_PCRE2="$(usex pcre2 y n)" \
-		FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \
-		all
-
-	if multilib_is_native_abi && use python; then
-		building() {
-			emake \
-				LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
-				LIBDIR="\$(PREFIX)/$(get_libdir)" \
-				SHLIBDIR="/$(get_libdir)" \
-				USE_PCRE2="$(usex pcre2 y n)" \
-				FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \
-				pywrap
-		}
-		python_foreach_impl building
-	fi
-
-	if multilib_is_native_abi && use ruby; then
-		building() {
-			einfo "Calling rubywrap for ${1}"
-			# Clean up .lo file to force rebuild
-			rm -f src/selinuxswig_ruby_wrap.lo || die
-			emake \
-				RUBY=${1} \
-				LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
-				LIBDIR="\$(PREFIX)/$(get_libdir)" \
-				SHLIBDIR="/$(get_libdir)" \
-				USE_PCRE2="$(usex pcre2 y n)" \
-				FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \
-				rubywrap
-		}
-		for RUBYTARGET in ${USE_RUBY}; do
-			use ruby_targets_${RUBYTARGET} || continue
-
-			building ${RUBYTARGET}
-		done
-	fi
-}
-
-multilib_src_install() {
-	emake DESTDIR="${D}" \
-		LIBDIR="\$(PREFIX)/$(get_libdir)" \
-		SHLIBDIR="/$(get_libdir)" \
-		USE_PCRE2="$(usex pcre2 y n)" \
-		install
-
-	if multilib_is_native_abi && use python; then
-		installation() {
-			emake DESTDIR="${D}" \
-				LIBDIR="\$(PREFIX)/$(get_libdir)" \
-				SHLIBDIR="/$(get_libdir)" \
-				USE_PCRE2="$(usex pcre2 y n)" \
-				install-pywrap
-			python_optimize # bug 531638
-		}
-		python_foreach_impl installation
-	fi
-
-	if multilib_is_native_abi && use ruby; then
-		installation() {
-			einfo "Calling install-rubywrap for ${1}"
-			# Forcing (re)build here as otherwise the resulting SO file is used for all ruby versions
-			rm src/selinuxswig_ruby_wrap.lo
-			emake DESTDIR="${D}" \
-				LIBDIR="\$(PREFIX)/$(get_libdir)" \
-				SHLIBDIR="/$(get_libdir)" \
-				RUBY=${1} \
-				USE_PCRE2="$(usex pcre2 y n)" \
-				install-rubywrap
-		}
-		for RUBYTARGET in ${USE_RUBY}; do
-			use ruby_targets_${RUBYTARGET} || continue
-
-			installation ${RUBYTARGET}
-		done
-	fi
-
-	use static-libs || rm "${D}"/usr/lib*/*.a || die
-}
-
-pkg_postinst() {
-	# Fix bug 473502
-	for POLTYPE in ${POLICY_TYPES};
-	do
-		mkdir -p /etc/selinux/${POLTYPE}/contexts/files || die
-		touch /etc/selinux/${POLTYPE}/contexts/files/file_contexts.local || die
-		# Fix bug 516608
-		for EXPRFILE in file_contexts file_contexts.homedirs file_contexts.local ; do
-			# flatcar changes:
-			# since libselinux is installed under `/build/amd64-usr`, we need to
-			# specify abspath to the binary `sefcontext_compile`, as well as abspath
-			# to the policy files.
-			if [[ -f "${ROOT}/etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE}" ]]; then
-				${ROOT}/usr/sbin/sefcontext_compile ${ROOT}/etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE} \
-				|| die "Failed to recompile contexts"
-			fi
-		done
-	done
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest
index 72d9050a7a5..11ffe4e62f5 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest
@@ -1,2 +1 @@
-DIST libsemanage-3.1.tar.gz 179601 BLAKE2B 69450a4eda1f3728d339f65db1eec9940995fcea5208d17dca531ebc998aefbfec48fe91beffa3490e1502953aa550405fb696635d01b0eb8050c8f00f11106a SHA512 8609ca7d13b5c603677740f2b14558fea3922624af182d20d618237ba11fcf2559fab82fc68d1efa6ff118f064d426f005138521652c761de92cd66150102197
-DIST libsemanage-3.2.tar.gz 178839 BLAKE2B c0925812d784923a7a239ba919fc0a0e1d84cb528cbf4a357fb7938d3c06ebd2f0b60cd3eba40b76bf7c2922a081b99b16b32dc16638aa1bfce32553e241fb9f SHA512 6ad670bb298b1bab506217b12a3fda5d2209f4387a11410f0c1b65f765ffb579b0d70795dee19048909e0b72ef904fc318be60d5a01f80ab12742ce07647a084
+DIST libsemanage-3.5.tar.gz 185060 BLAKE2B 3e08b15cb6b335a2747bd5f0bd84f74abdd22a7e8ec91ebb443ca6fe3886d5e8cd2827fefdaa0e9caf2af3280cffbf593ee828fee54dd423a21b257493cc754c SHA512 959fbd0d6bc6849da6caa13dc41c3f8818cbbd29f04b5d2ac7246c4b395b4f370f113a04cc9cfcb52be2afebfa636013ac4ad4011384c58c7ce066a45cae2751
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf
deleted file mode 100644
index 168b9720697..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-#Type	Path				Mode	UID 	GID 	Age	Argument
-d	/etc/selinux/		-	-	-	-	-
-L	/etc/selinux/semanage.conf	-	-	-	-	../../usr/lib/selinux/semanage.conf
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r2.ebuild
deleted file mode 100644
index f01673d1fd8..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r2.ebuild
+++ /dev/null
@@ -1,145 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-PYTHON_COMPAT=( python3_{6..11} )
-
-# flatcar changes
-TMPFILES_OPTIONAL=1
-inherit python-r1 toolchain-funcs multilib-minimal tmpfiles
-
-MY_P="${P//_/-}"
-MY_RELEASEDATE="20200710"
-
-SEPOL_VER="${PV}"
-SELNX_VER="${PV}"
-
-DESCRIPTION="SELinux kernel and policy management library"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
-
-if [[ ${PV} == 9999 ]]; then
-	inherit git-r3
-	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
-	S="${WORKDIR}/${MY_P}/${PN}"
-else
-	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_RELEASEDATE}/${MY_P}.tar.gz"
-	KEYWORDS="amd64 ~arm ~arm64 ~mips x86"
-	S="${WORKDIR}/${MY_P}"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-IUSE="python"
-REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
-
-RDEPEND=">=sys-libs/libsepol-${SEPOL_VER}[${MULTILIB_USEDEP}]
-	>=sys-libs/libselinux-${SELNX_VER}[${MULTILIB_USEDEP}]
-	>=sys-process/audit-2.2.2[${MULTILIB_USEDEP}]
-	python? ( ${PYTHON_DEPS} )"
-DEPEND="${RDEPEND}"
-BDEPEND="
-	python? (
-		>=dev-lang/swig-2.0.4-r1
-		virtual/pkgconfig
-	)
-	sys-devel/bison
-	sys-devel/flex"
-
-# tests are not meant to be run outside of the
-# full SELinux userland repo
-RESTRICT="test"
-
-src_prepare() {
-	eapply_user
-
-	echo >> "${S}/src/semanage.conf"
-	echo "# Set this to true to save the linked policy." >> "${S}/src/semanage.conf"
-	echo "# This is normally only useful for analysis" >> "${S}/src/semanage.conf"
-	echo "# or debugging of policy." >> "${S}/src/semanage.conf"
-	echo "save-linked=false" >> "${S}/src/semanage.conf"
-	echo >> "${S}/src/semanage.conf"
-	echo "# Set this to 0 to disable assertion checking." >> "${S}/src/semanage.conf"
-	echo "# This should speed up building the kernel policy" >> "${S}/src/semanage.conf"
-	echo "# from policy modules, but may leave you open to" >> "${S}/src/semanage.conf"
-	echo "# dangerous rules which assertion checking" >> "${S}/src/semanage.conf"
-	echo "# would catch." >> "${S}/src/semanage.conf"
-	echo "expand-check=1" >> "${S}/src/semanage.conf"
-	echo >> "${S}/src/semanage.conf"
-	echo "# Modules in the module store can be compressed" >> "${S}/src/semanage.conf"
-	echo "# with bzip2.  Set this to the bzip2 blocksize" >> "${S}/src/semanage.conf"
-	echo "# 1-9 when compressing.  The higher the number," >> "${S}/src/semanage.conf"
-	echo "# the more memory is traded off for disk space." >> "${S}/src/semanage.conf"
-	echo "# Set to 0 to disable bzip2 compression." >> "${S}/src/semanage.conf"
-	echo "bzip-blocksize=0" >> "${S}/src/semanage.conf"
-	echo >> "${S}/src/semanage.conf"
-	echo "# Reduce memory usage for bzip2 compression and" >> "${S}/src/semanage.conf"
-	echo "# decompression of modules in the module store." >> "${S}/src/semanage.conf"
-	echo "bzip-small=true" >> "${S}/src/semanage.conf"
-
-	multilib_copy_sources
-}
-
-multilib_src_compile() {
-	emake \
-		AR="$(tc-getAR)" \
-		CC="$(tc-getCC)" \
-		LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-		all
-
-	# flatcar changes
-	if multilib_is_native_abi && use python; then
-		building_py() {
-			emake \
-				AR="$(tc-getAR)" \
-				CC="$(tc-getCC)" \
-				LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-				"$@"
-		}
-		python_foreach_impl building_py swigify
-		python_foreach_impl building_py pywrap
-	fi
-}
-
-multilib_src_install() {
-	# flatcar changes
-	emake \
-		DEFAULT_SEMANAGE_CONF_LOCATION="/usr/lib/selinux/semanage.conf" \
-		LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-		SHLIBDIR="/usr/$(get_libdir)" \
-		DESTDIR="${ED}" install
-
-	# flatcar changes
-	if multilib_is_native_abi && use python; then
-		installation_py() {
-			# flatcar changes
-			emake DESTDIR="${ED}" \
-				LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-				SHLIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-				LIBSEPOLA="${EPREFIX%/}/usr/$(get_libdir)/libsepol.a" \
-				install-pywrap
-			python_optimize # bug 531638
-		}
-		python_foreach_impl installation_py
-	fi
-
-	# flatcar changes
-	dotmpfiles "${FILESDIR}/tmpfiles.d/libsemanage.conf"
-}
-
-multiib_src_install_all() {
-	python_setup
-	python_fix_shebang "${ED}"/usr/libexec/selinux/semanage_migrate_store
-}
-
-pkg_postinst() {
-	# Migrate the SELinux semanage configuration store if not done already
-	local selinuxtype=$(awk -F'=' '/SELINUXTYPE=/ {print $2}' "${EROOT}"/etc/selinux/config 2>/dev/null)
-	if [ -n "${selinuxtype}" ] && [ ! -d "${EROOT}"/var/lib/selinux/${selinuxtype}/active ] ; then
-		ewarn "Since the 2.4 SELinux userspace, the policy module store is moved"
-		ewarn "from /etc/selinux to /var/lib/selinux. The migration will be run now."
-		ewarn "If there are any issues, it can be done manually by running:"
-		ewarn "/usr/libexec/selinux/semanage_migrate_store"
-		ewarn "For more information, please see"
-		ewarn "- https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration"
-	fi
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2.ebuild
deleted file mode 100644
index 3860e725b35..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2.ebuild
+++ /dev/null
@@ -1,127 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-PYTHON_COMPAT=( python3_{6..10} )
-
-inherit python-r1 toolchain-funcs multilib-minimal
-
-MY_PV="${PV//_/-}"
-MY_P="${PN}-${MY_PV}"
-
-DESCRIPTION="SELinux kernel and policy management library"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
-
-if [[ ${PV} == 9999 ]]; then
-	inherit git-r3
-	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
-	S="${WORKDIR}/${P}/${PN}"
-else
-	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz"
-	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
-	S="${WORKDIR}/${MY_P}"
-fi
-
-LICENSE="GPL-2"
-SLOT="0/2"
-REQUIRED_USE="${PYTHON_REQUIRED_USE}"
-
-RDEPEND=">=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}]
-	>=sys-libs/libselinux-${PV}:=[${MULTILIB_USEDEP}]
-	>=sys-process/audit-2.2.2[${MULTILIB_USEDEP}]
-	${PYTHON_DEPS}"
-DEPEND="${RDEPEND}"
-BDEPEND=">=dev-lang/swig-2.0.4-r1
-	sys-devel/bison
-	sys-devel/flex
-	virtual/pkgconfig"
-
-# tests are not meant to be run outside of the
-# full SELinux userland repo
-RESTRICT="test"
-
-src_prepare() {
-	eapply_user
-
-	echo >> "${S}/src/semanage.conf"
-	echo "# Set this to true to save the linked policy." >> "${S}/src/semanage.conf"
-	echo "# This is normally only useful for analysis" >> "${S}/src/semanage.conf"
-	echo "# or debugging of policy." >> "${S}/src/semanage.conf"
-	echo "save-linked=false" >> "${S}/src/semanage.conf"
-	echo >> "${S}/src/semanage.conf"
-	echo "# Set this to 0 to disable assertion checking." >> "${S}/src/semanage.conf"
-	echo "# This should speed up building the kernel policy" >> "${S}/src/semanage.conf"
-	echo "# from policy modules, but may leave you open to" >> "${S}/src/semanage.conf"
-	echo "# dangerous rules which assertion checking" >> "${S}/src/semanage.conf"
-	echo "# would catch." >> "${S}/src/semanage.conf"
-	echo "expand-check=1" >> "${S}/src/semanage.conf"
-	echo >> "${S}/src/semanage.conf"
-	echo "# Modules in the module store can be compressed" >> "${S}/src/semanage.conf"
-	echo "# with bzip2.  Set this to the bzip2 blocksize" >> "${S}/src/semanage.conf"
-	echo "# 1-9 when compressing.  The higher the number," >> "${S}/src/semanage.conf"
-	echo "# the more memory is traded off for disk space." >> "${S}/src/semanage.conf"
-	echo "# Set to 0 to disable bzip2 compression." >> "${S}/src/semanage.conf"
-	echo "bzip-blocksize=0" >> "${S}/src/semanage.conf"
-	echo >> "${S}/src/semanage.conf"
-	echo "# Reduce memory usage for bzip2 compression and" >> "${S}/src/semanage.conf"
-	echo "# decompression of modules in the module store." >> "${S}/src/semanage.conf"
-	echo "bzip-small=true" >> "${S}/src/semanage.conf"
-
-	multilib_copy_sources
-}
-
-multilib_src_compile() {
-	local -x CFLAGS="${CFLAGS} -fno-semantic-interposition"
-
-	emake \
-		AR="$(tc-getAR)" \
-		CC="$(tc-getCC)" \
-		LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-		all
-
-	if multilib_is_native_abi; then
-		building_py() {
-			emake \
-				AR="$(tc-getAR)" \
-				CC="$(tc-getCC)" \
-				LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-				"$@"
-		}
-		python_foreach_impl building_py swigify
-		python_foreach_impl building_py pywrap
-	fi
-}
-
-multilib_src_install() {
-	emake \
-		LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-		DESTDIR="${ED}" install
-
-	if multilib_is_native_abi; then
-		installation_py() {
-			emake DESTDIR="${ED}" \
-				LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-				install-pywrap
-			python_optimize # bug 531638
-		}
-		python_foreach_impl installation_py
-	fi
-}
-
-multiib_src_install_all() {
-	python_setup
-	python_fix_shebang "${ED}"/usr/libexec/selinux/semanage_migrate_store
-}
-
-pkg_postinst() {
-	# Migrate the SELinux semanage configuration store if not done already
-	local selinuxtype=$(awk -F'=' '/SELINUXTYPE=/ {print $2}' "${EROOT}"/etc/selinux/config 2>/dev/null)
-	if [ -n "${selinuxtype}" ] && [ ! -d "${EROOT}"/var/lib/selinux/${selinuxtype}/active ] ; then
-		ewarn "Since the 2.4 SELinux userspace, the policy module store is moved"
-		ewarn "from /etc/selinux to /var/lib/selinux. The migration will be run now."
-		ewarn "If there are any issues, it can be done manually by running:"
-		ewarn "/usr/libexec/selinux/semanage_migrate_store"
-		ewarn "For more information, please see"
-		ewarn "- https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration"
-	fi
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild
similarity index 77%
rename from sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild
index 3860e725b35..98731c2390d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild
@@ -1,8 +1,8 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
-PYTHON_COMPAT=( python3_{6..10} )
+PYTHON_COMPAT=( python3_{9..11} )
 
 inherit python-r1 toolchain-funcs multilib-minimal
 
@@ -18,23 +18,21 @@ if [[ ${PV} == 9999 ]]; then
 	S="${WORKDIR}/${P}/${PN}"
 else
 	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz"
-	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+	KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
 	S="${WORKDIR}/${MY_P}"
 fi
 
 LICENSE="GPL-2"
 SLOT="0/2"
-REQUIRED_USE="${PYTHON_REQUIRED_USE}"
 
-RDEPEND=">=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}]
+RDEPEND="app-arch/bzip2[${MULTILIB_USEDEP}]
+	>=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}]
 	>=sys-libs/libselinux-${PV}:=[${MULTILIB_USEDEP}]
-	>=sys-process/audit-2.2.2[${MULTILIB_USEDEP}]
-	${PYTHON_DEPS}"
+	>=sys-process/audit-2.2.2[${MULTILIB_USEDEP}]"
+
 DEPEND="${RDEPEND}"
-BDEPEND=">=dev-lang/swig-2.0.4-r1
-	sys-devel/bison
-	sys-devel/flex
-	virtual/pkgconfig"
+BDEPEND="sys-devel/bison
+	sys-devel/flex"
 
 # tests are not meant to be run outside of the
 # full SELinux userland repo
@@ -78,39 +76,14 @@ multilib_src_compile() {
 		CC="$(tc-getCC)" \
 		LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
 		all
-
-	if multilib_is_native_abi; then
-		building_py() {
-			emake \
-				AR="$(tc-getAR)" \
-				CC="$(tc-getCC)" \
-				LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-				"$@"
-		}
-		python_foreach_impl building_py swigify
-		python_foreach_impl building_py pywrap
-	fi
 }
 
 multilib_src_install() {
 	emake \
 		LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-		DESTDIR="${ED}" install
-
-	if multilib_is_native_abi; then
-		installation_py() {
-			emake DESTDIR="${ED}" \
-				LIBDIR="${EPREFIX}/usr/$(get_libdir)" \
-				install-pywrap
-			python_optimize # bug 531638
-		}
-		python_foreach_impl installation_py
-	fi
-}
-
-multiib_src_install_all() {
-	python_setup
-	python_fix_shebang "${ED}"/usr/libexec/selinux/semanage_migrate_store
+		SHLIBDIR="/usr/$(get_libdir)" \
+		DESTDIR="${ED}" \
+		install
 }
 
 pkg_postinst() {
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml
index 9a9681c39bd..861770703d9 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>selinux@gentoo.org</email>
diff --git a/sdk_container/src/third_party/portage-stable/eclass/selinux-policy-2.eclass b/sdk_container/src/third_party/portage-stable/eclass/selinux-policy-2.eclass
index 8f69847a9fb..ad760673cab 100644
--- a/sdk_container/src/third_party/portage-stable/eclass/selinux-policy-2.eclass
+++ b/sdk_container/src/third_party/portage-stable/eclass/selinux-policy-2.eclass
@@ -1,4 +1,4 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # Eclass for installing SELinux policy, and optionally
@@ -7,7 +7,7 @@
 # @ECLASS: selinux-policy-2.eclass
 # @MAINTAINER:
 # selinux@gentoo.org
-# @SUPPORTED_EAPIS: 6 7
+# @SUPPORTED_EAPIS: 7
 # @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
 # @DESCRIPTION:
 # The selinux-policy-2.eclass supports deployment of the various SELinux modules
@@ -18,67 +18,69 @@
 # Also, it supports for bundling patches to make the whole thing just a bit more
 # manageable.
 
-# @ECLASS-VARIABLE: MODS
+case ${EAPI} in
+	7) ;;
+	*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
+esac
+
+if [[ ! ${_SELINUX_POLICY_2_ECLASS} ]]; then
+_SELINUX_POLICY_2_ECLASS=1
+
+# @ECLASS_VARIABLE: MODS
 # @DESCRIPTION:
 # This variable contains the (upstream) module name for the SELinux module.
 # This name is only the module name, not the category!
-: ${MODS:="_illegal"}
+: "${MODS:="_illegal"}"
 
-# @ECLASS-VARIABLE: BASEPOL
+# @ECLASS_VARIABLE: BASEPOL
 # @DESCRIPTION:
 # This variable contains the version string of the selinux-base-policy package
 # that this module build depends on. It is used to patch with the appropriate
 # patch bundle(s) that are part of selinux-base-policy.
-: ${BASEPOL:=${PVR}}
+: "${BASEPOL:=${PVR}}"
 
-# @ECLASS-VARIABLE: POLICY_PATCH
+# @ECLASS_VARIABLE: POLICY_PATCH
 # @DESCRIPTION:
 # This variable contains the additional patch(es) that need to be applied on top
 # of the patchset already contained within the BASEPOL variable. The variable
 # can be both a simple string (space-separated) or a bash array.
-: ${POLICY_PATCH:=""}
+: "${POLICY_PATCH:=""}"
 
-# @ECLASS-VARIABLE: POLICY_FILES
+# @ECLASS_VARIABLE: POLICY_FILES
 # @DESCRIPTION:
 # When defined, this contains the files (located in the ebuilds' files/
 # directory) which should be copied as policy module files into the store.
 # Generally, users would want to include at least a .te and .fc file, but .if
 # files are supported as well. The variable can be both a simple string
 # (space-separated) or a bash array.
-: ${POLICY_FILES:=""}
+: "${POLICY_FILES:=""}"
 
-# @ECLASS-VARIABLE: POLICY_TYPES
+# @ECLASS_VARIABLE: POLICY_TYPES
 # @DESCRIPTION:
 # This variable informs the eclass for which SELinux policies the module should
 # be built. Currently, Gentoo supports targeted, strict, mcs and mls.
 # This variable is the same POLICY_TYPES variable that we tell SELinux
 # users to set in make.conf. Therefore, it is not the module that should
 # override it, but the user.
-: ${POLICY_TYPES:="targeted strict mcs mls"}
+: "${POLICY_TYPES:="targeted strict mcs mls"}"
 
-# @ECLASS-VARIABLE: SELINUX_GIT_REPO
+# @ECLASS_VARIABLE: SELINUX_GIT_REPO
 # @DESCRIPTION:
 # When defined, this variable overrides the default repository URL as used by
 # this eclass. It allows end users to point to a different policy repository
 # using a single variable, rather than having to set the packagename_LIVE_REPO
 # variable for each and every SELinux policy module package they want to install.
 # The default value is Gentoo's hardened-refpolicy repository.
-: ${SELINUX_GIT_REPO:="https://anongit.gentoo.org/git/proj/hardened-refpolicy.git"};
+: "${SELINUX_GIT_REPO:="https://anongit.gentoo.org/git/proj/hardened-refpolicy.git"}"
 
-# @ECLASS-VARIABLE: SELINUX_GIT_BRANCH
+# @ECLASS_VARIABLE: SELINUX_GIT_BRANCH
 # @DESCRIPTION:
 # When defined, this variable sets the Git branch to use of the repository. This
 # allows for users and developers to use a different branch for the entire set of
 # SELinux policy packages, rather than having to override them one by one with the
 # packagename_LIVE_BRANCH variable.
 # The default value is the 'master' branch.
-: ${SELINUX_GIT_BRANCH:="master"};
-
-case "${EAPI:-0}" in
-	0|1|2|3|4|5) die "EAPI<6 is not supported";;
-	6|7) : ;;
-	*) die "unknown EAPI" ;;
-esac
+: "${SELINUX_GIT_BRANCH:="master"}"
 
 case ${BASEPOL} in
 	9999)	inherit git-r3
@@ -113,17 +115,12 @@ else
 	RDEPEND=">=sys-apps/policycoreutils-2.0.82
 		>=sec-policy/selinux-base-policy-${PV}"
 fi
-if [[ ${EAPI} == 6 ]]; then
-	DEPEND="${RDEPEND}
-		sys-devel/m4
-		>=sys-apps/checkpolicy-2.0.21"
-else
-	DEPEND="${RDEPEND}"
-	BDEPEND="sys-devel/m4
-		>=sys-apps/checkpolicy-2.0.21"
-fi
 
-EXPORT_FUNCTIONS src_unpack src_prepare src_compile src_install pkg_postinst pkg_postrm
+DEPEND="${RDEPEND}"
+BDEPEND="
+	sys-devel/m4
+	>=sys-apps/checkpolicy-2.0.21
+"
 
 # @FUNCTION: selinux-policy-2_src_unpack
 # @DESCRIPTION:
@@ -159,7 +156,7 @@ selinux-policy-2_src_prepare() {
 	if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]]; then
 		cd "${S}"
 		einfo "Applying SELinux policy updates ... "
-		eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
+		eapply -p0 -- "${WORKDIR}/0001-full-patch-against-stable-release.patch"
 	fi
 
 	# Call in eapply_user. We do this early on as we start moving
@@ -169,7 +166,7 @@ selinux-policy-2_src_prepare() {
 	# Copy additional files to the 3rd_party/ location
 	if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
 	   [[ -n ${POLICY_FILES} ]]; then
-	    add_interfaces=1;
+		add_interfaces=1;
 		cd "${S}/refpolicy/policy/modules"
 		for POLFILE in ${POLICY_FILES[@]};
 		do
@@ -177,22 +174,21 @@ selinux-policy-2_src_prepare() {
 		done
 	fi
 
-	# Apply the additional patches refered to by the module ebuild.
+	# Apply the additional patches referred to by the module ebuild.
 	# But first some magic to differentiate between bash arrays and strings
-	cd "${S}/refpolicy/policy/modules"
-	for POLPATCH in ${POLICY_PATCH[@]};
-	do
-		einfo "Installing ${POLPATCH}"
-		eapply -p0 "${POLPATCH}"
-	done
+	if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]]; then
+		[[ -n ${POLICY_PATCH[*]} ]] && eapply -d "${S}/refpolicy/policy/modules" -- "${POLICY_PATCH[@]}"
+	else
+		[[ -n ${POLICY_PATCH} ]] && eapply -d "${S}/refpolicy/policy/modules" -- ${POLICY_PATCH}
+	fi
 
 	# Collect only those files needed for this particular module
 	for i in ${MODS}; do
-		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
-		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
-		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.cil) $modfiles"
+		modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.te) $modfiles"
+		modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.fc) $modfiles"
+		modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.cil) $modfiles"
 		if [[ ${add_interfaces} -eq 1 ]]; then
-			modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
+			modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.if) $modfiles"
 		fi
 	done
 
@@ -220,7 +216,7 @@ selinux-policy-2_src_compile() {
 	for i in ${POLICY_TYPES}; do
 		# Support USE flags in builds
 		export M4PARAM="${makeuse}"
-		emake NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux -C "${S}"/${i} || die "${i} compile failed"
+		emake NAME=$i SHAREDIR="${EPREFIX}"/usr/share/selinux -C "${S}"/${i}
 	done
 }
 
@@ -256,21 +252,26 @@ selinux-policy-2_src_install() {
 selinux-policy-2_pkg_postinst() {
 	# Set root path and don't load policy into the kernel when cross compiling
 	local root_opts=""
-	if [[ "${ROOT%/}" != "" ]]; then
-		root_opts="-p ${ROOT%/} -n"
+	if [[ -n ${ROOT} ]]; then
+		root_opts="-p ${ROOT} -n"
 	fi
 
 	# build up the command in the case of multiple modules
 	local COMMAND
 
 	for i in ${POLICY_TYPES}; do
-		if [[ "${i}" == "strict" ]] && [[ "${MODS}" = "unconfined" ]]; then
-			einfo "Ignoring loading of unconfined module in strict module store.";
-			continue;
+		if [[ "${MODS}" = "unconfined" ]]; then
+			case ${i} in
+			strict|mcs|mls)
+				einfo "Ignoring loading of unconfined module in ${i} module store.";
+				continue
+				;;
+			esac
 		fi
+
 		einfo "Inserting the following modules into the $i module store: ${MODS}"
 
-		cd "${ROOT%/}/usr/share/selinux/${i}" || die "Could not enter /usr/share/selinux/${i}"
+		cd "${ROOT}/usr/share/selinux/${i}" || die "Could not enter /usr/share/selinux/${i}"
 		for j in ${MODS} ; do
 			if [[ -f "${j}.pp" ]] ; then
 				COMMAND="${j}.pp ${COMMAND}"
@@ -302,7 +303,7 @@ selinux-policy-2_pkg_postinst() {
 				ewarn "If it is the last SELinux module package being installed however,"
 				ewarn "then it is advised to look at the error above and take appropriate"
 				ewarn "action since the new SELinux policies are not loaded until the"
-				ewarn "command finished succesfully."
+				ewarn "command finished successfully."
 				ewarn ""
 				ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
 				ewarn "  semodule ${COMMAND_base} -i \$(ls *.pp | grep -v base.pp)"
@@ -310,16 +311,16 @@ selinux-policy-2_pkg_postinst() {
 				ewarn "  semodule ${COMMAND_base} -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
 				ewarn "depending on if you need the unconfined domain loaded as well or not."
 			else
-				einfo "SELinux modules reloaded succesfully."
+				einfo "SELinux modules reloaded successfully."
 			fi
 		else
-			einfo "SELinux modules loaded succesfully."
+			einfo "SELinux modules loaded successfully."
 		fi
 		COMMAND="";
 	done
 
 	# Don't relabel when cross compiling
-	if [[ "${ROOT%/}" == "" ]]; then
+	if [[ -z ${ROOT} ]]; then
 		# Relabel depending packages
 		local PKGSET="";
 		if [[ -x /usr/bin/qdepends ]] ; then
@@ -342,8 +343,8 @@ selinux-policy-2_pkg_postrm() {
 	if [[ -z "${REPLACED_BY_VERSION}" ]]; then
 		# Set root path and don't load policy into the kernel when cross compiling
 		local root_opts=""
-		if [[ "${ROOT%/}" != "" ]]; then
-			root_opts="-p ${ROOT%/} -n"
+		if [[ -n ${ROOT} ]]; then
+			root_opts="-p ${ROOT} -n"
 		fi
 
 		# build up the command in the case of multiple modules
@@ -359,9 +360,12 @@ selinux-policy-2_pkg_postrm() {
 			if [[ $? -ne 0 ]]; then
 				ewarn "SELinux module unload failed.";
 			else
-				einfo "SELinux modules unloaded succesfully."
+				einfo "SELinux modules unloaded successfully."
 			fi
 		done
 	fi
 }
 
+fi
+
+EXPORT_FUNCTIONS src_unpack src_prepare src_compile src_install pkg_postinst pkg_postrm
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/Manifest b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/Manifest
new file mode 100644
index 00000000000..10292536925
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/Manifest
@@ -0,0 +1,3 @@
+DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f
+DIST patchbundle-selinux-base-policy-2.20221101-r4.tar.bz2 457886 BLAKE2B 1e085f9f1739e0640c5eafa70db4c7ec19bca887c682ca2312a457fa57ee3eb176d0c8f16c2f84a1a026669b1240be3ff69066bd825c92fad75dcd2c13739f6c SHA512 da3ba1f076c04746719698aedb3aad48eb7c8a09df95c314b36f7a052538a07d893be413f35f4c34b01c1bf967ebe35ff32c2cea0722fe74a6e089a9d6aa47a6
+DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/metadata.xml b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/metadata.xml
similarity index 86%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/metadata.xml
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/metadata.xml
index 46dc07f5426..5828cfe255c 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>selinux@gentoo.org</email>
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20210203-r1.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-2.20221101-r3.ebuild
similarity index 84%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20210203-r1.ebuild
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-2.20221101-r3.ebuild
index aeab4a29b00..53278241d09 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20210203-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-2.20221101-r3.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
@@ -12,7 +12,7 @@ if [[ ${PV} == 9999* ]]; then
 else
 	SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
 			https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2"
-	KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
+	KEYWORDS="amd64 arm arm64 ~mips x86"
 fi
 
 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
@@ -28,6 +28,7 @@ BDEPEND="
 	sys-devel/m4"
 
 MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg"
+DEL_MODS="hotplug"
 LICENSE="GPL-2"
 SLOT="0"
 S="${WORKDIR}/"
@@ -56,8 +57,12 @@ src_prepare() {
 
 	# Collect only those files needed for this particular module
 	for i in ${MODS}; do
-		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
-		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
+		modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.te) $modfiles"
+		modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.fc) $modfiles"
+	done
+
+	for i in ${DEL_MODS}; do
+		[[ "${MODS}" != *${i}* ]] || die "Duplicate module in MODS and DEL_MODS: ${i}"
 	done
 
 	for i in ${POLICY_TYPES}; do
@@ -72,7 +77,7 @@ src_prepare() {
 
 src_compile() {
 	for i in ${POLICY_TYPES}; do
-		emake NAME=$i SHAREDIR="${ROOT}"/usr/share/selinux -C "${S}"/${i}
+		emake NAME=$i SHAREDIR="${SYSROOT%/}/usr/share/selinux" -C "${S}"/${i}
 	done
 }
 
@@ -111,6 +116,13 @@ pkg_postinst() {
 		cd "${ROOT}/usr/share/selinux/${i}"
 
 		semodule ${root_opts} -s ${i} ${COMMAND}
+
+		for mod in ${DEL_MODS}; do
+			if semodule ${root_opts} -s ${i} -l | grep -q "\b${mod}\b"; then
+				einfo "Removing obsolete ${i} ${mod} policy package"
+				semodule ${root_opts} -s ${i} -r ${mod}
+			fi
+		done
 	done
 
 	# Don't relabel when cross compiling
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r3.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-2.20221101-r4.ebuild
similarity index 75%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r3.ebuild
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-2.20221101-r4.ebuild
index 7f1a7a6d494..599c8909966 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r3.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-2.20221101-r4.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
@@ -11,8 +11,8 @@ if [[ ${PV} == 9999* ]]; then
 	inherit git-r3
 else
 	SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
-			https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PV}-r2.tar.bz2"
-	KEYWORDS="amd64 -arm ~arm64 ~mips x86"
+			https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2"
+	KEYWORDS="amd64 arm arm64 ~mips x86"
 fi
 
 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
@@ -27,26 +27,12 @@ BDEPEND="
 	sys-apps/checkpolicy
 	sys-devel/m4"
 
-MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg"
+MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg"
+DEL_MODS="hotplug"
 LICENSE="GPL-2"
 SLOT="0"
 S="${WORKDIR}/"
 
-# flatcar changes: apply a couple of
-# patches on the current policies
-PATCHES=(
-	"${FILESDIR}/sshd.patch"
-	"${FILESDIR}/init.patch"
-	"${FILESDIR}/locallogin.patch"
-	"${FILESDIR}/logging.patch"
-	# this patch is required to prevent `torcx-generator`
-	# to fail if SELinux is enforced in early boot.
-	# It can be removed once we drop torcx support.
-	"${FILESDIR}/unlabeled.patch"
-	# This is to allow pings from some IP address.
-	"${FILESDIR}/ping.patch"
-)
-
 # Code entirely copied from selinux-eclass (cannot inherit due to dependency on
 # itself), when reworked reinclude it. Only postinstall (where -b base.pp is
 # added) needs to remain then.
@@ -67,13 +53,16 @@ src_prepare() {
 		eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
 	fi
 
-	eapply -p0 "${PATCHES[@]}"
 	eapply_user
 
 	# Collect only those files needed for this particular module
 	for i in ${MODS}; do
-		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
-		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
+		modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.te) $modfiles"
+		modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.fc) $modfiles"
+	done
+
+	for i in ${DEL_MODS}; do
+		[[ "${MODS}" != *${i}* ]] || die "Duplicate module in MODS and DEL_MODS: ${i}"
 	done
 
 	for i in ${POLICY_TYPES}; do
@@ -88,7 +77,7 @@ src_prepare() {
 
 src_compile() {
 	for i in ${POLICY_TYPES}; do
-		emake NAME=$i SHAREDIR="${ROOT}"/usr/share/selinux -C "${S}"/${i}
+		emake NAME=$i SHAREDIR="${SYSROOT%/}/usr/share/selinux" -C "${S}"/${i}
 	done
 }
 
@@ -127,6 +116,13 @@ pkg_postinst() {
 		cd "${ROOT}/usr/share/selinux/${i}"
 
 		semodule ${root_opts} -s ${i} ${COMMAND}
+
+		for mod in ${DEL_MODS}; do
+			if semodule ${root_opts} -s ${i} -l | grep -q "\b${mod}\b"; then
+				einfo "Removing obsolete ${i} ${mod} policy package"
+				semodule ${root_opts} -s ${i} -r ${mod}
+			fi
+		done
 	done
 
 	# Don't relabel when cross compiling
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild
similarity index 84%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild
index aeab4a29b00..9ca7ee646d2 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
@@ -12,7 +12,7 @@ if [[ ${PV} == 9999* ]]; then
 else
 	SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
 			https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2"
-	KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
+	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
 fi
 
 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
@@ -28,6 +28,7 @@ BDEPEND="
 	sys-devel/m4"
 
 MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg"
+DEL_MODS="hotplug"
 LICENSE="GPL-2"
 SLOT="0"
 S="${WORKDIR}/"
@@ -56,8 +57,12 @@ src_prepare() {
 
 	# Collect only those files needed for this particular module
 	for i in ${MODS}; do
-		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
-		modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
+		modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.te) $modfiles"
+		modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.fc) $modfiles"
+	done
+
+	for i in ${DEL_MODS}; do
+		[[ "${MODS}" != *${i}* ]] || die "Duplicate module in MODS and DEL_MODS: ${i}"
 	done
 
 	for i in ${POLICY_TYPES}; do
@@ -72,7 +77,7 @@ src_prepare() {
 
 src_compile() {
 	for i in ${POLICY_TYPES}; do
-		emake NAME=$i SHAREDIR="${ROOT}"/usr/share/selinux -C "${S}"/${i}
+		emake NAME=$i SHAREDIR="${SYSROOT%/}/usr/share/selinux" -C "${S}"/${i}
 	done
 }
 
@@ -111,6 +116,13 @@ pkg_postinst() {
 		cd "${ROOT}/usr/share/selinux/${i}"
 
 		semodule ${root_opts} -s ${i} ${COMMAND}
+
+		for mod in ${DEL_MODS}; do
+			if semodule ${root_opts} -s ${i} -l | grep -q "\b${mod}\b"; then
+				einfo "Removing obsolete ${i} ${mod} policy package"
+				semodule ${root_opts} -s ${i} -r ${mod}
+			fi
+		done
 	done
 
 	# Don't relabel when cross compiling
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/Manifest b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/Manifest
new file mode 100644
index 00000000000..10292536925
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/Manifest
@@ -0,0 +1,3 @@
+DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f
+DIST patchbundle-selinux-base-policy-2.20221101-r4.tar.bz2 457886 BLAKE2B 1e085f9f1739e0640c5eafa70db4c7ec19bca887c682ca2312a457fa57ee3eb176d0c8f16c2f84a1a026669b1240be3ff69066bd825c92fad75dcd2c13739f6c SHA512 da3ba1f076c04746719698aedb3aad48eb7c8a09df95c314b36f7a052538a07d893be413f35f4c34b01c1bf967ebe35ff32c2cea0722fe74a6e089a9d6aa47a6
+DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/config b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/config
new file mode 100644
index 00000000000..55933ea0e53
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/config
@@ -0,0 +1,15 @@
+# This file controls the state of SELinux on the system on boot.
+
+# SELINUX can take one of these three values:
+#	enforcing - SELinux security policy is enforced.
+#	permissive - SELinux prints warnings instead of enforcing.
+#	disabled - No SELinux policy is loaded.
+SELINUX=permissive
+
+# SELINUXTYPE can take one of these four values:
+#	targeted - Only targeted network daemons are protected.
+#	strict   - Full SELinux protection.
+#	mls      - Full SELinux protection with Multi-Level Security
+#	mcs      - Full SELinux protection with Multi-Category Security 
+#	           (mls, but only one sensitivity level)
+SELINUXTYPE=strict
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/selinux.conf b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/selinux.conf
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/selinux.conf
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/selinux.conf
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/metadata.xml b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/metadata.xml
similarity index 90%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/metadata.xml
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/metadata.xml
index e59a87405fd..c909a1b00f8 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>selinux@gentoo.org</email>
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20210203-r1.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r3.ebuild
similarity index 95%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20210203-r1.ebuild
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r3.ebuild
index 3ea875afca5..d38a576e7f7 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20210203-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r3.ebuild
@@ -1,8 +1,12 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
 
+PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_REQ_USE="xml(+)"
+inherit python-any-r1
+
 if [[ ${PV} == 9999* ]]; then
 	EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
 	EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
@@ -13,7 +17,7 @@ else
 	SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
 			https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2"
 
-	KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
+	KEYWORDS="amd64 arm arm64 ~mips x86"
 fi
 
 IUSE="doc +unknown-perms systemd +ubac +unconfined"
@@ -26,6 +30,7 @@ SLOT="0"
 RDEPEND=">=sys-apps/policycoreutils-2.8"
 DEPEND="${RDEPEND}"
 BDEPEND="
+	${PYTHON_DEPS}
 	>=sys-apps/checkpolicy-2.8
 	sys-devel/m4"
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r3.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r4.ebuild
similarity index 71%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r3.ebuild
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r4.ebuild
index bc58b54ab50..d38a576e7f7 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r3.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r4.ebuild
@@ -1,13 +1,11 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
 
-# flatcar changes
-PYTHON_COMPAT=( python3_{8,9,10,11} )
+PYTHON_COMPAT=( python3_{9..11} )
 PYTHON_REQ_USE="xml(+)"
-TMPFILES_OPTIONAL=1
-inherit systemd tmpfiles python-any-r1
+inherit python-any-r1
 
 if [[ ${PV} == 9999* ]]; then
 	EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
@@ -17,9 +15,9 @@ if [[ ${PV} == 9999* ]]; then
 	inherit git-r3
 else
 	SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
-			https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PV}-r2.tar.bz2"
+			https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2"
 
-	KEYWORDS="amd64 -arm ~arm64 ~mips x86"
+	KEYWORDS="amd64 arm arm64 ~mips x86"
 fi
 
 IUSE="doc +unknown-perms systemd +ubac +unconfined"
@@ -29,24 +27,12 @@ HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
 LICENSE="GPL-2"
 SLOT="0"
 
-# flatcar changes
-RDEPEND=">=sys-apps/policycoreutils-2.8
-	>=sys-apps/checkpolicy-2.8
-"
+RDEPEND=">=sys-apps/policycoreutils-2.8"
 DEPEND="${RDEPEND}"
-# flatcar: BDEPEND on python - normally pulled in through policycoreutils
-# but we made that dep conditional on USE=python
-BDEPEND="sys-devel/m4
-    ${PYTHON_DEPS}
-"
-
-
-# flatcar changes
-PATCHES=(
-	"${FILESDIR}"/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
-	"${FILESDIR}"/0001-policy-ms-MCS-restricts-relabelfrom.patch
-	"${FILESDIR}"/icmp-bind.patch
-)
+BDEPEND="
+	${PYTHON_DEPS}
+	>=sys-apps/checkpolicy-2.8
+	sys-devel/m4"
 
 S=${WORKDIR}/
 
@@ -56,8 +42,6 @@ src_prepare() {
 		eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
 	fi
 
-	# flatcar changes
-	eapply -p0 "${PATCHES[@]}"
 	eapply_user
 
 	cd "${S}/refpolicy" || die
@@ -99,10 +83,6 @@ src_configure() {
 
 		sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die
 
-		# flatcar changes: it's required to run polkit without segfault
-		# we need to pass this argument now before the compilation of the policy
-		sed -i "s/allow_execmem = false/allow_execmem = true/" "${S}/${i}/policy/booleans.conf" || die
-
 		sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \
 			"${S}/${i}/build.conf" || die "build.conf setup failed."
 
@@ -132,9 +112,7 @@ src_compile() {
 
 	for i in ${POLICY_TYPES}; do
 		cd "${S}/${i}" || die
-		# flatcar changes
-		emake base BINDIR="${ROOT}/usr/bin" NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux \
-			LD_LIBRARY_PATH="${ROOT}/usr/lib64:${LD_LIBRARY_PATH}" -C "${S}"/${i}
+		emake base
 		if use doc; then
 			emake html
 		fi
@@ -167,29 +145,14 @@ src_install() {
 
 	done
 
-	# flatcar changes
-	dotmpfiles "${FILESDIR}/tmpfiles.d/selinux-base.conf"
-	systemd-tmpfiles --root="${D}" --create selinux-base.conf
-
 	docinto /
 	dodoc doc/Makefile.example doc/example.{te,fc,if}
 
 	doman man/man8/*.8;
 
-	# flatcar changes
-	insinto /usr/lib/selinux
+	insinto /etc/selinux
 	doins "${FILESDIR}/config"
 
-	insinto /etc/selinux/mcs/contexts
-	doins "${FILESDIR}/lxc_contexts"
-
-	# flatcar changes
-	mkdir -p "${D}/usr/lib/selinux"
-	for i in ${POLICY_TYPES}; do
-		mv "${D}/etc/selinux/${i}" "${D}/usr/lib/selinux"
-		dosym "../../usr/lib/selinux/${i}" "/etc/selinux/${i}"
-	done
-
 	insinto /usr/share/portage/config/sets
 	doins "${FILESDIR}/selinux.conf"
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-9999.ebuild
similarity index 95%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-9999.ebuild
index 3be921e88de..11859691550 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-9999.ebuild
@@ -1,8 +1,12 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
 
+PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_REQ_USE="xml(+)"
+inherit python-any-r1
+
 if [[ ${PV} == 9999* ]]; then
 	EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
 	EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
@@ -13,7 +17,7 @@ else
 	SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
 			https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2"
 
-	KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
+	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
 fi
 
 IUSE="doc +unknown-perms systemd +ubac +unconfined"
@@ -26,6 +30,7 @@ SLOT="0"
 RDEPEND=">=sys-apps/policycoreutils-2.8"
 DEPEND="${RDEPEND}"
 BDEPEND="
+	${PYTHON_DEPS}
 	>=sys-apps/checkpolicy-2.8
 	sys-devel/m4"
 
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/Manifest b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/Manifest
new file mode 100644
index 00000000000..10292536925
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/Manifest
@@ -0,0 +1,3 @@
+DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f
+DIST patchbundle-selinux-base-policy-2.20221101-r4.tar.bz2 457886 BLAKE2B 1e085f9f1739e0640c5eafa70db4c7ec19bca887c682ca2312a457fa57ee3eb176d0c8f16c2f84a1a026669b1240be3ff69066bd825c92fad75dcd2c13739f6c SHA512 da3ba1f076c04746719698aedb3aad48eb7c8a09df95c314b36f7a052538a07d893be413f35f4c34b01c1bf967ebe35ff32c2cea0722fe74a6e089a9d6aa47a6
+DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/metadata.xml b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/metadata.xml
similarity index 70%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/metadata.xml
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/metadata.xml
index 9173800ffc4..781bc07e6d5 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>selinux@gentoo.org</email>
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-2.20221101-r3.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-2.20221101-r3.ebuild
new file mode 100644
index 00000000000..4455418ebe0
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-2.20221101-r3.ebuild
@@ -0,0 +1,15 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+IUSE=""
+MODS="container"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for container"
+
+if [[ ${PV} != 9999* ]] ; then
+	KEYWORDS="amd64 arm arm64 ~mips x86"
+fi
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-2.20221101-r4.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-2.20221101-r4.ebuild
new file mode 100644
index 00000000000..3c54414a955
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-2.20221101-r4.ebuild
@@ -0,0 +1,15 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+IUSE=""
+MODS="container"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for container"
+
+if [[ ${PV} != 9999* ]] ; then
+	KEYWORDS="amd64 arm arm64 ~mips x86"
+fi
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-9999.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-9999.ebuild
new file mode 100644
index 00000000000..e664a42c56f
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-9999.ebuild
@@ -0,0 +1,15 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+IUSE=""
+MODS="container"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for container"
+
+if [[ ${PV} != 9999* ]] ; then
+	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+fi
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/Manifest b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/Manifest
new file mode 100644
index 00000000000..10292536925
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/Manifest
@@ -0,0 +1,3 @@
+DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f
+DIST patchbundle-selinux-base-policy-2.20221101-r4.tar.bz2 457886 BLAKE2B 1e085f9f1739e0640c5eafa70db4c7ec19bca887c682ca2312a457fa57ee3eb176d0c8f16c2f84a1a026669b1240be3ff69066bd825c92fad75dcd2c13739f6c SHA512 da3ba1f076c04746719698aedb3aad48eb7c8a09df95c314b36f7a052538a07d893be413f35f4c34b01c1bf967ebe35ff32c2cea0722fe74a6e089a9d6aa47a6
+DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/metadata.xml b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/metadata.xml
similarity index 70%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/metadata.xml
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/metadata.xml
index 9173800ffc4..781bc07e6d5 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>selinux@gentoo.org</email>
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-9999.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-2.20221101-r3.ebuild
similarity index 53%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-9999.ebuild
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-2.20221101-r3.ebuild
index 212b7c40b8a..d8d567fc3af 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-2.20221101-r3.ebuild
@@ -1,15 +1,15 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
 
 IUSE=""
-MODS="virt"
+MODS="dbus"
 
 inherit selinux-policy-2
 
-DESCRIPTION="SELinux policy for virt"
+DESCRIPTION="SELinux policy for dbus"
 
 if [[ ${PV} != 9999* ]] ; then
-	KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
+	KEYWORDS="amd64 arm arm64 ~mips x86"
 fi
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-2.20221101-r4.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-2.20221101-r4.ebuild
new file mode 100644
index 00000000000..8410ed0b65e
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-2.20221101-r4.ebuild
@@ -0,0 +1,15 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+IUSE=""
+MODS="dbus"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for dbus"
+
+if [[ ${PV} != 9999* ]] ; then
+	KEYWORDS="amd64 arm arm64 ~mips x86"
+fi
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20210203-r1.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-9999.ebuild
similarity index 66%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20210203-r1.ebuild
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-9999.ebuild
index cfdb675f360..1713ca84a2b 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20210203-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-9999.ebuild
@@ -4,12 +4,12 @@
 EAPI="7"
 
 IUSE=""
-MODS="virt"
+MODS="dbus"
 
 inherit selinux-policy-2
 
-DESCRIPTION="SELinux policy for virt"
+DESCRIPTION="SELinux policy for dbus"
 
 if [[ ${PV} != 9999* ]] ; then
-	KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
+	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
 fi
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/Manifest b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/Manifest
index 531f9303e23..10292536925 100644
--- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/Manifest
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/Manifest
@@ -1,4 +1,3 @@
-DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3
-DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff
-DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7
-DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc
+DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f
+DIST patchbundle-selinux-base-policy-2.20221101-r4.tar.bz2 457886 BLAKE2B 1e085f9f1739e0640c5eafa70db4c7ec19bca887c682ca2312a457fa57ee3eb176d0c8f16c2f84a1a026669b1240be3ff69066bd825c92fad75dcd2c13739f6c SHA512 da3ba1f076c04746719698aedb3aad48eb7c8a09df95c314b36f7a052538a07d893be413f35f4c34b01c1bf967ebe35ff32c2cea0722fe74a6e089a9d6aa47a6
+DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/metadata.xml b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/metadata.xml
index 9173800ffc4..781bc07e6d5 100644
--- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>selinux@gentoo.org</email>
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20200818-r2.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20221101-r3.ebuild
similarity index 72%
rename from sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20200818-r2.ebuild
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20221101-r3.ebuild
index 8cb63c7a8b0..d0691f20a03 100644
--- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20200818-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20221101-r3.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
@@ -11,5 +11,5 @@ inherit selinux-policy-2
 DESCRIPTION="SELinux policy for sssd"
 
 if [[ ${PV} != 9999* ]] ; then
-	KEYWORDS="amd64 -arm arm64 ~mips x86"
+	KEYWORDS="amd64 arm arm64 ~mips x86"
 fi
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20210203-r1.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20221101-r4.ebuild
similarity index 71%
rename from sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20210203-r1.ebuild
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20221101-r4.ebuild
index 62027e0bdf2..5a569d91618 100644
--- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20210203-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20221101-r4.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
@@ -11,5 +11,5 @@ inherit selinux-policy-2
 DESCRIPTION="SELinux policy for sssd"
 
 if [[ ${PV} != 9999* ]] ; then
-	KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
+	KEYWORDS="amd64 arm arm64 ~mips x86"
 fi
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-9999.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-9999.ebuild
index 69e1d26c00b..f1c278220cb 100644
--- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-9999.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
@@ -11,5 +11,5 @@ inherit selinux-policy-2
 DESCRIPTION="SELinux policy for sssd"
 
 if [[ ${PV} != 9999* ]] ; then
-	KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
+	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
 fi
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/Manifest b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/Manifest
index 531f9303e23..10292536925 100644
--- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/Manifest
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/Manifest
@@ -1,4 +1,3 @@
-DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3
-DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff
-DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7
-DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc
+DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f
+DIST patchbundle-selinux-base-policy-2.20221101-r4.tar.bz2 457886 BLAKE2B 1e085f9f1739e0640c5eafa70db4c7ec19bca887c682ca2312a457fa57ee3eb176d0c8f16c2f84a1a026669b1240be3ff69066bd825c92fad75dcd2c13739f6c SHA512 da3ba1f076c04746719698aedb3aad48eb7c8a09df95c314b36f7a052538a07d893be413f35f4c34b01c1bf967ebe35ff32c2cea0722fe74a6e089a9d6aa47a6
+DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/metadata.xml b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/metadata.xml
index 9173800ffc4..781bc07e6d5 100644
--- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>selinux@gentoo.org</email>
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20200818-r2.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20221101-r3.ebuild
similarity index 73%
rename from sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20200818-r2.ebuild
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20221101-r3.ebuild
index 8a4b64438cb..ca2ad1523df 100644
--- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20200818-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20221101-r3.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
@@ -11,5 +11,5 @@ inherit selinux-policy-2
 DESCRIPTION="SELinux policy for unconfined"
 
 if [[ ${PV} != 9999* ]] ; then
-	KEYWORDS="amd64 -arm ~arm64 ~mips x86"
+	KEYWORDS="amd64 arm arm64 ~mips x86"
 fi
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20210203-r1.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20221101-r4.ebuild
similarity index 72%
rename from sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20210203-r1.ebuild
rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20221101-r4.ebuild
index 9846e2b753d..ca550395be7 100644
--- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20210203-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20221101-r4.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
@@ -11,5 +11,5 @@ inherit selinux-policy-2
 DESCRIPTION="SELinux policy for unconfined"
 
 if [[ ${PV} != 9999* ]] ; then
-	KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
+	KEYWORDS="amd64 arm arm64 ~mips x86"
 fi
diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-9999.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-9999.ebuild
index 6726305669a..5785032bbd0 100644
--- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-9999.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
@@ -11,5 +11,5 @@ inherit selinux-policy-2
 DESCRIPTION="SELinux policy for unconfined"
 
 if [[ ${PV} != 9999* ]] ; then
-	KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
+	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
 fi
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/Manifest b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/Manifest
new file mode 100644
index 00000000000..d3279c23fc8
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/Manifest
@@ -0,0 +1 @@
+DIST checkpolicy-3.5.tar.gz 69904 BLAKE2B e02ccad07534568a1bbb612330018bbe486800ea40df20ed6f9dc38c88aff7f8858782a28ba7915a58c3bb384f180eb8da7a8fe97a92bcb9baa61eec18da6cbc SHA512 fcd490d865af3b4350c32c5dd9916f8406219841e1e255d8945c6dcc958535247aa27af5597a6988e19f11faea7beeabcb46e8ba2431112bb4aa5c7697bca529
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-3.2.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/checkpolicy-3.5.ebuild
similarity index 83%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-3.2.ebuild
rename to sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/checkpolicy-3.5.ebuild
index f2cee807536..e3ad0c610ff 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-3.2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/checkpolicy-3.5.ebuild
@@ -1,10 +1,13 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
 
 inherit toolchain-funcs
 
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+
 DESCRIPTION="SELinux policy compiler"
 HOMEPAGE="http://userspace.selinuxproject.org"
 
@@ -13,8 +16,9 @@ if [[ ${PV} == 9999 ]] ; then
 	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
 	S="${WORKDIR}/${P}/${PN}"
 else
-	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${PV}/${P}.tar.gz"
-	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz"
+	KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
+	S="${WORKDIR}/${MY_P}"
 fi
 
 LICENSE="GPL-2"
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-9999.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/checkpolicy-9999.ebuild
similarity index 83%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-9999.ebuild
rename to sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/checkpolicy-9999.ebuild
index f2cee807536..496db82366f 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/checkpolicy-9999.ebuild
@@ -1,10 +1,13 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
 
 inherit toolchain-funcs
 
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+
 DESCRIPTION="SELinux policy compiler"
 HOMEPAGE="http://userspace.selinuxproject.org"
 
@@ -13,8 +16,9 @@ if [[ ${PV} == 9999 ]] ; then
 	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
 	S="${WORKDIR}/${P}/${PN}"
 else
-	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${PV}/${P}.tar.gz"
-	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz"
+	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86"
+	S="${WORKDIR}/${MY_P}"
 fi
 
 LICENSE="GPL-2"
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/metadata.xml
new file mode 100644
index 00000000000..861770703d9
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/metadata.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>selinux@gentoo.org</email>
+		<name>SELinux Team</name>
+	</maintainer>
+	<upstream>
+		<remote-id type="github">SELinuxProject/selinux</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/Manifest b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/Manifest
index 278c76d9d88..72517280356 100644
--- a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/Manifest
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/Manifest
@@ -1,2 +1 @@
-DIST semodule-utils-3.1.tar.gz 14257 BLAKE2B c8c9a1ce7c9c4f53b1f4c728d16b149fdc284f4cff8b4fce0cb59b77d37d6d7e9bf2102c7177c4eaf94677af6147e42d8d0bd55c0bf3a358968d0162d5a6c65a SHA512 b92794bbfbce5834ee7f62fddb40b5506e9291e8fa7c5d669b2e281089b8f8dc40c4522ea287ac5deffdaee751442ba8e691e2ac45fdd378b60d5d6b2527d157
-DIST semodule-utils-3.2.tar.gz 14260 BLAKE2B 35c071c96071028d4a912a89b88d02672f1fb8c2d8d23c3cb472b607dad55acdf351ef870b4d52bb2bed7b816a199c18947afcd16e77b66268822288feb4af2a SHA512 f937647cc22f7ed719908bad64415d706fd97cf1dce484dbca2484b05b3295de40e31bec643b6caaf4e8be742b1f911428d393c5e2d1d0ae39a2a37fd3be9bc1
+DIST semodule-utils-3.5.tar.gz 14383 BLAKE2B a1bb432013bca1023d99b32f43b2c972b6b807a4677f9d8c9fb9aff10225232506f3ecca86fc231b4c63d04582a91a1c4218f87ce5532a4d35a26a09665c6f10 SHA512 7c32f425ae71745040d1c6a6585149a1efb319913aa9d4c8bf185b0a4216dc66378fa38595b171614ee3ae4ade997d3ae56a060346e334faec55c419a87d71dd
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/metadata.xml
index 855cbdbdb7f..d159ea8775f 100644
--- a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>selinux@gentoo.org</email>
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.1.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.1.ebuild
deleted file mode 100644
index 2002f71e945..00000000000
--- a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.1.ebuild
+++ /dev/null
@@ -1,52 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-inherit toolchain-funcs
-
-MY_RELEASEDATE="20200710"
-SEPOL_VER="${PV}"
-SELNX_VER="${PV}"
-
-MY_P="${P//_/-}"
-IUSE=""
-
-if [[ ${PV} == *9999 ]] ; then
-	inherit git-r3
-	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
-	S="${WORKDIR}/${MY_P}/${PN}"
-else
-	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_RELEASEDATE}/${MY_P}.tar.gz"
-	KEYWORDS="amd64 ~arm ~arm64 ~mips x86"
-	S="${WORKDIR}/${MY_P}"
-fi
-
-DESCRIPTION="SELinux policy module utilities"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
-
-LICENSE="GPL-2"
-SLOT="0"
-
-DEPEND=">=sys-libs/libsepol-${SEPOL_VER}:="
-
-# flatcar changes: add a weak blocker on policycoreutils-2.4
-# to prevent file collisions
-# policycoreutils-2.4 and semodule-utils provide the same files
-RDEPEND="${DEPEND}
-	!=sys-apps/policycoreutils-2.4-r2
-"
-
-src_prepare() {
-	default
-
-	sed -i 's/-Werror//g' "${S}"/*/Makefile || die "Failed to remove Werror"
-}
-
-src_compile() {
-	emake CC="$(tc-getCC)"
-}
-
-src_install() {
-	emake DESTDIR="${D}" install
-}
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.2.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.5.ebuild
similarity index 80%
rename from sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.2.ebuild
rename to sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.5.ebuild
index 13fc0d86279..b67d886e7b9 100644
--- a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.5.ebuild
@@ -1,29 +1,31 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
 
 inherit toolchain-funcs
 
-IUSE=""
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+
+DESCRIPTION="SELinux policy module utilities"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
 
 if [[ ${PV} == *9999 ]] ; then
 	inherit git-r3
 	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
 	S="${WORKDIR}/${P}/${PN}"
 else
-	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${PV}/${P}.tar.gz"
-	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz"
+	KEYWORDS="amd64 arm arm64 ~mips x86"
+	S="${WORKDIR}/${MY_P}"
 fi
 
-DESCRIPTION="SELinux policy module utilities"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
-
 LICENSE="GPL-2"
 SLOT="0"
+IUSE=""
 
 DEPEND=">=sys-libs/libsepol-${PV}:="
-
 RDEPEND="${DEPEND}"
 
 src_prepare() {
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-9999.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-9999.ebuild
index 13fc0d86279..525188411f4 100644
--- a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-9999.ebuild
@@ -1,29 +1,31 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
 
 inherit toolchain-funcs
 
-IUSE=""
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+
+DESCRIPTION="SELinux policy module utilities"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
 
 if [[ ${PV} == *9999 ]] ; then
 	inherit git-r3
 	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
 	S="${WORKDIR}/${P}/${PN}"
 else
-	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${PV}/${P}.tar.gz"
+	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz"
 	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+	S="${WORKDIR}/${MY_P}"
 fi
 
-DESCRIPTION="SELinux policy module utilities"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
-
 LICENSE="GPL-2"
 SLOT="0"
+IUSE=""
 
 DEPEND=">=sys-libs/libsepol-${PV}:="
-
 RDEPEND="${DEPEND}"
 
 src_prepare() {
diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/Manifest b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/Manifest
new file mode 100644
index 00000000000..c6efbb8e1ed
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/Manifest
@@ -0,0 +1 @@
+DIST libselinux-3.5.tar.gz 211453 BLAKE2B f7f3067c4bb0448e18bd7085135f11d94ae99728949480a655c0f660486817beb5829d8a43dff7bce286ccd50705b0c657bde85970f01c794e01fb707f469d8b SHA512 4e13261a5821018a5f3cdce676f180bb62e5bc225981ca8a498ece0d1c88d9ba8eaa0ce4099dd0849309a8a7c5a9a0953df841a9922f2c284e5a109e5d937ba7
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-3.2-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/libselinux-3.5-r1.ebuild
similarity index 73%
rename from sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-3.2-r1.ebuild
rename to sdk_container/src/third_party/portage-stable/sys-libs/libselinux/libselinux-3.5-r1.ebuild
index 91e457f8dd5..1ed1db1ec9f 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-3.2-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/libselinux-3.5-r1.ebuild
@@ -1,9 +1,9 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
-PYTHON_COMPAT=( python3_{6..10} )
-USE_RUBY="ruby25 ruby26 ruby27"
+PYTHON_COMPAT=( python3_{10..12} )
+USE_RUBY="ruby30 ruby31 ruby32"
 
 # No, I am not calling ruby-ng
 inherit python-r1 toolchain-funcs multilib-minimal
@@ -20,28 +20,30 @@ if [[ ${PV} == 9999 ]]; then
 	S="${WORKDIR}/${P}/${PN}"
 else
 	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz"
-	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+	KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
 	S="${WORKDIR}/${MY_P}"
 fi
 
 LICENSE="public-domain"
 SLOT="0"
-IUSE="pcre2 python ruby static-libs ruby_targets_ruby25 ruby_targets_ruby26 ruby_targets_ruby27"
+IUSE="python ruby static-libs ruby_targets_ruby30 ruby_targets_ruby31 ruby_targets_ruby32"
 REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
 
-RDEPEND=">=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}]
-	!pcre2? ( >=dev-libs/libpcre-8.33-r1:=[static-libs?,${MULTILIB_USEDEP}] )
-	pcre2? ( dev-libs/libpcre2:=[static-libs?,${MULTILIB_USEDEP}] )
+RDEPEND="dev-libs/libpcre2:=[static-libs?,${MULTILIB_USEDEP}]
+	>=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}]
 	python? ( ${PYTHON_DEPS} )
 	ruby? (
-		ruby_targets_ruby25? ( dev-lang/ruby:2.5 )
-		ruby_targets_ruby26? ( dev-lang/ruby:2.6 )
-		ruby_targets_ruby27? ( dev-lang/ruby:2.7 )
+		ruby_targets_ruby30? ( dev-lang/ruby:3.0 )
+		ruby_targets_ruby31? ( dev-lang/ruby:3.1 )
+		ruby_targets_ruby32? ( dev-lang/ruby:3.2 )
 	)
 	elibc_musl? ( sys-libs/fts-standalone )"
 DEPEND="${RDEPEND}"
 BDEPEND="virtual/pkgconfig
-	python? ( >=dev-lang/swig-2.0.9 )
+	python? (
+		>=dev-lang/swig-2.0.9
+		dev-python/pip[${PYTHON_USEDEP}]
+	)
 	ruby? ( >=dev-lang/swig-2.0.9 )"
 
 src_prepare() {
@@ -59,7 +61,7 @@ multilib_src_compile() {
 		LIBDIR="\$(PREFIX)/$(get_libdir)" \
 		SHLIBDIR="/$(get_libdir)" \
 		LDFLAGS="-fPIC ${LDFLAGS} -pthread" \
-		USE_PCRE2="$(usex pcre2 y n)" \
+		USE_PCRE2=y \
 		FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \
 		all
 
@@ -69,7 +71,7 @@ multilib_src_compile() {
 				LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
 				LIBDIR="\$(PREFIX)/$(get_libdir)" \
 				SHLIBDIR="/$(get_libdir)" \
-				USE_PCRE2="$(usex pcre2 y n)" \
+				USE_PCRE2=y \
 				FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \
 				pywrap
 		}
@@ -86,7 +88,7 @@ multilib_src_compile() {
 				LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
 				LIBDIR="\$(PREFIX)/$(get_libdir)" \
 				SHLIBDIR="/$(get_libdir)" \
-				USE_PCRE2="$(usex pcre2 y n)" \
+				USE_PCRE2=y \
 				FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \
 				rubywrap
 		}
@@ -102,7 +104,7 @@ multilib_src_install() {
 	emake DESTDIR="${D}" \
 		LIBDIR="\$(PREFIX)/$(get_libdir)" \
 		SHLIBDIR="/$(get_libdir)" \
-		USE_PCRE2="$(usex pcre2 y n)" \
+		USE_PCRE2=y \
 		install
 
 	if multilib_is_native_abi && use python; then
@@ -110,7 +112,7 @@ multilib_src_install() {
 			emake DESTDIR="${D}" \
 				LIBDIR="\$(PREFIX)/$(get_libdir)" \
 				SHLIBDIR="/$(get_libdir)" \
-				USE_PCRE2="$(usex pcre2 y n)" \
+				USE_PCRE2=y \
 				install-pywrap
 			python_optimize # bug 531638
 		}
@@ -126,7 +128,7 @@ multilib_src_install() {
 				LIBDIR="\$(PREFIX)/$(get_libdir)" \
 				SHLIBDIR="/$(get_libdir)" \
 				RUBY=${1} \
-				USE_PCRE2="$(usex pcre2 y n)" \
+				USE_PCRE2=y \
 				install-rubywrap
 		}
 		for RUBYTARGET in ${USE_RUBY}; do
@@ -143,12 +145,12 @@ pkg_postinst() {
 	# Fix bug 473502
 	for POLTYPE in ${POLICY_TYPES};
 	do
-		mkdir -p /etc/selinux/${POLTYPE}/contexts/files || die
-		touch /etc/selinux/${POLTYPE}/contexts/files/file_contexts.local || die
+		mkdir -p "${ROOT}/etc/selinux/${POLTYPE}/contexts/files" || die
+		touch "${ROOT}/etc/selinux/${POLTYPE}/contexts/files/file_contexts.local" || die
 		# Fix bug 516608
 		for EXPRFILE in file_contexts file_contexts.homedirs file_contexts.local ; do
-			if [[ -f "/etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE}" ]]; then
-				sefcontext_compile /etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE} \
+			if [[ -f "${ROOT}/etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE}" ]]; then
+				sefcontext_compile "${ROOT}/etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE}" \
 				|| die "Failed to recompile contexts"
 			fi
 		done
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-9999.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/libselinux-9999.ebuild
similarity index 80%
rename from sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-9999.ebuild
rename to sdk_container/src/third_party/portage-stable/sys-libs/libselinux/libselinux-9999.ebuild
index 91e457f8dd5..f5475a7744c 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/libselinux-9999.ebuild
@@ -1,9 +1,9 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
-PYTHON_COMPAT=( python3_{6..10} )
-USE_RUBY="ruby25 ruby26 ruby27"
+PYTHON_COMPAT=( python3_{10..12} )
+USE_RUBY="ruby30 ruby31 ruby32"
 
 # No, I am not calling ruby-ng
 inherit python-r1 toolchain-funcs multilib-minimal
@@ -20,28 +20,30 @@ if [[ ${PV} == 9999 ]]; then
 	S="${WORKDIR}/${P}/${PN}"
 else
 	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz"
-	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86"
 	S="${WORKDIR}/${MY_P}"
 fi
 
 LICENSE="public-domain"
 SLOT="0"
-IUSE="pcre2 python ruby static-libs ruby_targets_ruby25 ruby_targets_ruby26 ruby_targets_ruby27"
+IUSE="python ruby static-libs ruby_targets_ruby30 ruby_targets_ruby31 ruby_targets_ruby32"
 REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
 
-RDEPEND=">=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}]
-	!pcre2? ( >=dev-libs/libpcre-8.33-r1:=[static-libs?,${MULTILIB_USEDEP}] )
-	pcre2? ( dev-libs/libpcre2:=[static-libs?,${MULTILIB_USEDEP}] )
+RDEPEND="dev-libs/libpcre2:=[static-libs?,${MULTILIB_USEDEP}]
+	>=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}]
 	python? ( ${PYTHON_DEPS} )
 	ruby? (
-		ruby_targets_ruby25? ( dev-lang/ruby:2.5 )
-		ruby_targets_ruby26? ( dev-lang/ruby:2.6 )
-		ruby_targets_ruby27? ( dev-lang/ruby:2.7 )
+		ruby_targets_ruby30? ( dev-lang/ruby:3.0 )
+		ruby_targets_ruby31? ( dev-lang/ruby:3.1 )
+		ruby_targets_ruby32? ( dev-lang/ruby:3.2 )
 	)
 	elibc_musl? ( sys-libs/fts-standalone )"
 DEPEND="${RDEPEND}"
 BDEPEND="virtual/pkgconfig
-	python? ( >=dev-lang/swig-2.0.9 )
+	python? (
+		>=dev-lang/swig-2.0.9
+		dev-python/pip[${PYTHON_USEDEP}]
+)
 	ruby? ( >=dev-lang/swig-2.0.9 )"
 
 src_prepare() {
@@ -59,7 +61,7 @@ multilib_src_compile() {
 		LIBDIR="\$(PREFIX)/$(get_libdir)" \
 		SHLIBDIR="/$(get_libdir)" \
 		LDFLAGS="-fPIC ${LDFLAGS} -pthread" \
-		USE_PCRE2="$(usex pcre2 y n)" \
+		USE_PCRE2=y \
 		FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \
 		all
 
@@ -69,7 +71,7 @@ multilib_src_compile() {
 				LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
 				LIBDIR="\$(PREFIX)/$(get_libdir)" \
 				SHLIBDIR="/$(get_libdir)" \
-				USE_PCRE2="$(usex pcre2 y n)" \
+				USE_PCRE2=y \
 				FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \
 				pywrap
 		}
@@ -86,7 +88,7 @@ multilib_src_compile() {
 				LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
 				LIBDIR="\$(PREFIX)/$(get_libdir)" \
 				SHLIBDIR="/$(get_libdir)" \
-				USE_PCRE2="$(usex pcre2 y n)" \
+				USE_PCRE2=y \
 				FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \
 				rubywrap
 		}
@@ -102,7 +104,7 @@ multilib_src_install() {
 	emake DESTDIR="${D}" \
 		LIBDIR="\$(PREFIX)/$(get_libdir)" \
 		SHLIBDIR="/$(get_libdir)" \
-		USE_PCRE2="$(usex pcre2 y n)" \
+		USE_PCRE2=y \
 		install
 
 	if multilib_is_native_abi && use python; then
@@ -110,7 +112,7 @@ multilib_src_install() {
 			emake DESTDIR="${D}" \
 				LIBDIR="\$(PREFIX)/$(get_libdir)" \
 				SHLIBDIR="/$(get_libdir)" \
-				USE_PCRE2="$(usex pcre2 y n)" \
+				USE_PCRE2=y \
 				install-pywrap
 			python_optimize # bug 531638
 		}
@@ -126,7 +128,7 @@ multilib_src_install() {
 				LIBDIR="\$(PREFIX)/$(get_libdir)" \
 				SHLIBDIR="/$(get_libdir)" \
 				RUBY=${1} \
-				USE_PCRE2="$(usex pcre2 y n)" \
+				USE_PCRE2=y \
 				install-rubywrap
 		}
 		for RUBYTARGET in ${USE_RUBY}; do
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/metadata.xml
similarity index 77%
rename from sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/metadata.xml
rename to sdk_container/src/third_party/portage-stable/sys-libs/libselinux/metadata.xml
index 92059a54b96..dfd7bb04e0a 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>selinux@gentoo.org</email>
@@ -10,9 +10,6 @@
 		process and file security contexts and to obtain security policy
 		decisions.  Required for any applications that use the SELinux API.
 	</longdescription>
-	<use>
-		<flag name="pcre2">Use <pkg>dev-libs/libpcre2</pkg> for fcontext regexes</flag>
-	</use>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:selinuxproject:libselinux</remote-id>
 		<remote-id type="github">SELinuxProject/selinux</remote-id>
diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/Manifest b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/Manifest
index abf164a0089..cef9954d314 100644
--- a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/Manifest
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/Manifest
@@ -1,2 +1 @@
-DIST libsepol-3.1.tar.gz 473842 BLAKE2B ef1d596c4d53cc0a87e899ef4aeb5bf29c9d6b8303632ddc866c100d30debd8aedd0e8b38cb4ce3141b80421cd914148ff072e492d63dc2dacf03ac2ce59ca5a SHA512 4b5f4e82853ff3e9b4fac2dbdea5c2fc3bb7b508af912217ac4b75da6540fbcd77aa314ab95cd9dfa94fbc4a885000656a663c1a152f65b4cf6970ea0b6034ab
-DIST libsepol-3.2.tar.gz 477749 BLAKE2B 6f35387c0373869672080e151f212c081389f6799539124353aa1749ae2648669b2e237a271297c1c212b7a9e0c35f05edfff1bb724c8a15993e8fb8c599ac2e SHA512 1a6b3489ff766958a4b444b9be63a794267243aed303d3e7d87278f11be492dbf603a0c8181c4c5e01cb0e1ceb43810a77f738f0b9bd1d7d2be67053f9c67a6f
+DIST libsepol-3.5.tar.gz 497522 BLAKE2B dad2d346605be53fe41aef69e2e4bd4f1ce68a15f0b9307deb6b66bbe7bf06a9ee6be580e60d2f19aebbc8ee5041ac8a7b831b51342ba7c7089e1f1a447e7691 SHA512 66f45a9f4951589855961955db686b006b4c0cddead6ac49ad238a0e4a34775905bd10fb8cf0c0ff2ab64f9b7d8366b97fcd5b19c382dec39971a2835cc765c8
diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.1.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.1.ebuild
deleted file mode 100644
index ccf481b3d44..00000000000
--- a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.1.ebuild
+++ /dev/null
@@ -1,51 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-inherit toolchain-funcs multilib-minimal
-
-MY_P="${P//_/-}"
-MY_RELEASEDATE="20200710"
-
-DESCRIPTION="SELinux binary policy representation library"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
-
-if [[ ${PV} == 9999 ]]; then
-	inherit git-r3
-	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
-	S="${WORKDIR}/${MY_P}/${PN}"
-else
-	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_RELEASEDATE}/${MY_P}.tar.gz"
-	KEYWORDS="amd64 ~arm ~arm64 ~mips x86"
-	S="${WORKDIR}/${MY_P}"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-
-# tests are not meant to be run outside of the full SELinux userland repo
-RESTRICT="test"
-
-src_prepare() {
-	eapply_user
-	multilib_copy_sources
-}
-
-multilib_src_compile() {
-	tc-export CC AR RANLIB
-
-	# https://bugs.gentoo.org/706730
-	local -x CFLAGS="${CFLAGS} -fcommon"
-
-	emake \
-		LIBDIR="\$(PREFIX)/$(get_libdir)" \
-		SHLIBDIR="/$(get_libdir)"
-}
-
-multilib_src_install() {
-	emake DESTDIR="${D}" \
-		LIBDIR="\$(PREFIX)/$(get_libdir)" \
-		SHLIBDIR="/$(get_libdir)" \
-		install
-}
diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.2.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.5.ebuild
similarity index 92%
rename from sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.2.ebuild
rename to sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.5.ebuild
index 141803b9f56..16ea268dc5c 100644
--- a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.5.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
@@ -17,7 +17,7 @@ if [[ ${PV} == 9999 ]]; then
 	S="${WORKDIR}/${P}/${PN}"
 else
 	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz"
-	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+	KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
 	S="${WORKDIR}/${MY_P}"
 fi
 
diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-9999.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-9999.ebuild
index 141803b9f56..f682823e464 100644
--- a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-9999.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
@@ -17,7 +17,7 @@ if [[ ${PV} == 9999 ]]; then
 	S="${WORKDIR}/${P}/${PN}"
 else
 	SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz"
-	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86"
 	S="${WORKDIR}/${MY_P}"
 fi
 
diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/metadata.xml
index 5adbcb6f6f1..6a8cf19d676 100644
--- a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>selinux@gentoo.org</email>