Switch to "mcs" SELinux policy

We're going to want the ability for processes to have unique categories,
to enforce separation of container processes.  Gentoo's SELinux policy
supports both Multi-Category Security and Multi-Level Security modes,
although the latter does not seem to work out of the box.

portage/config/target/etc/portage/make.conf/60-selinux.conf

@@ -0,0 +1,2 @@
+USE="${USE} -unconfined"
+POLICY_TYPES=mcs