diff --git a/build-rootfs.sh b/build-rootfs.sh
index 9943ec0..2316838 100755
--- a/build-rootfs.sh
+++ b/build-rootfs.sh
@@ -80,3 +80,27 @@ if ! grep -q Include /mnt/gentoo/etc/ssh/sshd_config; then
     echo 'Include /etc/ssh/sshd_config.d/*.conf' \
         >> /mnt/gentoo/etc/ssh/sshd_config
 fi
+
+# Although `semanage` accepts a `--store` argument that supposedly
+# instructs it to operate on an alternate SELinux policy store, it
+# doesn't actually work.  As such, we have to run `semanage` in an
+# alternate mount namespace with the target policy store bind-mounted
+# at the default location so `semanage` can operate on it.
+unshare -m sh -e <<EOF
+mount -o bind /mnt/gentoo/var/lib/selinux /var/lib/selinux
+mount -o bind /mnt/gentoo/etc/selinux /etc/selinux
+semanage boolean -N -m --on ssh_sysadm_login
+semanage login -N -m -s root root
+semanage user -N -m -R sysadm_r root
+EOF
+
+setfiles \
+    -p \
+    -F \
+    -m \
+    -r /mnt/gentoo \
+    -c /mnt/gentoo/etc/selinux/strict/policy/policy.* \
+    -e /mnt/gentoo/var/db/pkg \
+    -e /mnt/gentoo/etc/portage \
+    /mnt/gentoo/etc/selinux/strict/contexts/files/file_contexts \
+    /mnt/gentoo
diff --git a/busybox.symlinks b/busybox.symlinks
index cbd7463..4994e8c 100644
--- a/busybox.symlinks
+++ b/busybox.symlinks
@@ -1,5 +1,6 @@
 basename
 cat
+chcon
 cp
 dd
 df
diff --git a/config b/config
index 49e40c0..703589c 100644
--- a/config
+++ b/config
@@ -1,5 +1,5 @@
 target=aarch64-unknown-linux-gnu
-profile=default/linux/arm64/17.0/systemd/merged-usr
+profile=default/linux/arm64/17.0/systemd/selinux/merged-usr
 kernel_pkg=sys-kernel/raspberrypi-sources
 kernel_defconfig=bcm2835
 device_tree=broadcom/bcm2711-rpi-cm4-ha-yellow.dtb
diff --git a/host-portage/package.use/selinux b/host-portage/package.use/selinux
new file mode 100644
index 0000000..14ea6e0
--- /dev/null
+++ b/host-portage/package.use/selinux
@@ -0,0 +1,2 @@
+sys-libs/libselinux python
+sys-process/audit python
diff --git a/host-portage/package.use/systemd b/host-portage/package.use/systemd
index c6fa03b..30cb08f 100644
--- a/host-portage/package.use/systemd
+++ b/host-portage/package.use/systemd
@@ -1,2 +1,4 @@
 sys-apps/dbus systemd
 sys-apps/systemd -*
+sec-policy/selinux-base systemd
+sec-policy/selinux-base-policy systemd
diff --git a/host-tools.packages b/host-tools.packages
index b5adbfb..4fa55fa 100644
--- a/host-tools.packages
+++ b/host-tools.packages
@@ -1,3 +1,5 @@
+sec-policy/selinux-base
+sys-apps/policycoreutils
 sys-apps/systemd
 sys-boot/grub
 sys-fs/btrfs-progs
diff --git a/linux.config b/linux.config
index 7e585fd..65b7a5f 100644
--- a/linux.config
+++ b/linux.config
@@ -47,3 +47,10 @@ CONFIG_IPV6_SIT_6RD=m
 
 # CONFIG_MEDIA_CEC_SUPPORT is not set
 # CONFIG_MEDIA_SUPPORT is not set
+
+CONFIG_AUDIT=y
+CONFIG_SECURITY=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_SELINUX=y
+CONFIG_DEFAULT_SECURITY_SELINUX=y
+# DEFAULT_SECURITY_DAC is not set
diff --git a/overlay/etc/selinux/config b/overlay/etc/selinux/config
new file mode 100644
index 0000000..ba488c2
--- /dev/null
+++ b/overlay/etc/selinux/config
@@ -0,0 +1,15 @@
+# This file controls the state of SELinux on the system on boot.
+
+# SELINUX can take one of these three values:
+#	enforcing - SELinux security policy is enforced.
+#	permissive - SELinux prints warnings instead of enforcing.
+#	disabled - No SELinux policy is loaded.
+SELINUX=enforcing
+
+# SELINUXTYPE can take one of these four values:
+#	targeted - Only targeted network daemons are protected.
+#	strict   - Full SELinux protection.
+#	mls      - Full SELinux protection with Multi-Level Security
+#	mcs      - Full SELinux protection with Multi-Category Security 
+#	           (mls, but only one sensitivity level)
+SELINUXTYPE=strict
diff --git a/overlay/usr/lib/systemd/system-preset/80-local-default.preset b/overlay/usr/lib/systemd/system-preset/80-local-default.preset
index d0681c5..73e8dcc 100644
--- a/overlay/usr/lib/systemd/system-preset/80-local-default.preset
+++ b/overlay/usr/lib/systemd/system-preset/80-local-default.preset
@@ -1,3 +1,5 @@
+enable auditd.service
+
 disable ldconfig.service
 
 disable systemd-userdbd.service
diff --git a/overlay/usr/lib/systemd/system/auditd.service.d/augenrules.conf b/overlay/usr/lib/systemd/system/auditd.service.d/augenrules.conf
new file mode 100644
index 0000000..ba0918e
--- /dev/null
+++ b/overlay/usr/lib/systemd/system/auditd.service.d/augenrules.conf
@@ -0,0 +1,5 @@
+[Service]
+# Do not run augenrules; read audit rules from the audit.rules file as
+# it exists already.  Audit rules are generated at build time.
+ExecStartPost=
+ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
diff --git a/portage/package.use/python b/portage/package.use/python
new file mode 100644
index 0000000..815e2af
--- /dev/null
+++ b/portage/package.use/python
@@ -0,0 +1 @@
+dev-lang/python -ensurepip
diff --git a/portage/patches/sec-policy/selinux-base-policy b/portage/patches/sec-policy/selinux-base-policy
new file mode 120000
index 0000000..999e000
--- /dev/null
+++ b/portage/patches/sec-policy/selinux-base-policy
@@ -0,0 +1 @@
+selinux-base
\ No newline at end of file
diff --git a/portage/patches/sec-policy/selinux-base/0001-systemd-Fixes-for-systemd-resolved.patch b/portage/patches/sec-policy/selinux-base/0001-systemd-Fixes-for-systemd-resolved.patch
new file mode 100644
index 0000000..c994bfd
--- /dev/null
+++ b/portage/patches/sec-policy/selinux-base/0001-systemd-Fixes-for-systemd-resolved.patch
@@ -0,0 +1,40 @@
+From 45fbe472c6d0b8ecf320b4f04ebf6c09ec85ba33 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Fri, 3 Mar 2023 15:04:28 -0600
+Subject: [PATCH] systemd: Fixes for systemd-resolved
+
+---
+ refpolicy/policy/modules/system/systemd.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/refpolicy/policy/modules/system/systemd.te b/refpolicy/policy/modules/system/systemd.te
+index ef25974..78f2b07 100644
+--- a/refpolicy/policy/modules/system/systemd.te
++++ b/refpolicy/policy/modules/system/systemd.te
+@@ -228,6 +228,7 @@ init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
+ 
+ type systemd_resolved_runtime_t alias systemd_resolved_var_run_t;
+ files_runtime_file(systemd_resolved_runtime_t)
++init_mountpoint(systemd_resolved_runtime_t)
+ 
+ type systemd_stdio_bridge_t;
+ type systemd_stdio_bridge_exec_t;
+@@ -1441,6 +1442,7 @@ corenet_tcp_bind_llmnr_port(systemd_resolved_t)
+ corenet_udp_bind_generic_node(systemd_resolved_t)
+ corenet_udp_bind_dns_port(systemd_resolved_t)
+ corenet_udp_bind_llmnr_port(systemd_resolved_t)
++corenet_udp_bind_howl_port(systemd_resolved_t)
+ 
+ selinux_use_status_page(systemd_resolved_t)
+ 
+@@ -1452,6 +1454,7 @@ files_list_runtime(systemd_resolved_t)
+ 
+ fs_getattr_all_fs(systemd_resolved_t)
+ fs_search_cgroup_dirs(systemd_resolved_t)
++fs_search_all(systemd_resolved_t)
+ 
+ init_dgram_send(systemd_resolved_t)
+ 
+-- 
+2.39.0
+
diff --git a/portage/patches/sec-policy/selinux-base/0002-mount-Allow-mounting-on-etc_t.patch b/portage/patches/sec-policy/selinux-base/0002-mount-Allow-mounting-on-etc_t.patch
new file mode 100644
index 0000000..dc38752
--- /dev/null
+++ b/portage/patches/sec-policy/selinux-base/0002-mount-Allow-mounting-on-etc_t.patch
@@ -0,0 +1,24 @@
+From c1510fe7d63665ea133da3b044c2c63a9b104a02 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Sat, 4 Mar 2023 09:57:44 -0600
+Subject: [PATCH] mount: Allow mounting on etc_t
+
+---
+ refpolicy/policy/modules/system/mount.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
+index d028723..f73cd29 100644
+--- a/refpolicy/policy/modules/system/mount.te
++++ b/refpolicy/policy/modules/system/mount.te
+@@ -89,6 +89,7 @@ files_manage_etc_runtime_files(mount_t)
+ files_etc_filetrans_etc_runtime(mount_t, file)
+ files_mounton_all_mountpoints(mount_t)
+ files_unmount_rootfs(mount_t)
++files_mounton_etc_dirs(mount_t)
+ # These rules need to be generalized.  Only admin, initrc should have it:
+ files_relabelto_all_file_type_fs(mount_t)
+ files_mount_all_file_type_fs(mount_t)
+-- 
+2.39.0
+
diff --git a/portage/patches/sec-policy/selinux-base/0003-kernel-Mark-unlabeled_t-as-mount-point-type.patch b/portage/patches/sec-policy/selinux-base/0003-kernel-Mark-unlabeled_t-as-mount-point-type.patch
new file mode 100644
index 0000000..7906797
--- /dev/null
+++ b/portage/patches/sec-policy/selinux-base/0003-kernel-Mark-unlabeled_t-as-mount-point-type.patch
@@ -0,0 +1,24 @@
+From 81e1ed4da36c7638f63e78969f70d77f87fb3600 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Sat, 4 Mar 2023 10:16:13 -0600
+Subject: [PATCH] kernel: Mark unlabeled_t as mount point type
+
+---
+ refpolicy/policy/modules/kernel/kernel.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
+index 5124ae0..b0d7e8f 100644
+--- a/refpolicy/policy/modules/kernel/kernel.te
++++ b/refpolicy/policy/modules/kernel/kernel.te
+@@ -267,6 +267,7 @@ allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
+ 
+ # Other possible mount points for the root fs are in files
+ allow kernel_t unlabeled_t:dir mounton;
++files_mountpoint(unlabeled_t)
+ # Kernel-generated traffic e.g., TCP resets on
+ # connections with invalidated labels:
+ allow kernel_t unlabeled_t:packet send;
+-- 
+2.39.0
+
diff --git a/portage/patches/sec-policy/selinux-base/0004-Allow-systemd-journald-list-cgroup-directories.patch b/portage/patches/sec-policy/selinux-base/0004-Allow-systemd-journald-list-cgroup-directories.patch
new file mode 100644
index 0000000..74dc110
--- /dev/null
+++ b/portage/patches/sec-policy/selinux-base/0004-Allow-systemd-journald-list-cgroup-directories.patch
@@ -0,0 +1,24 @@
+From 552ee711eaba5d9efff087feff23b2e6f6249743 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Mon, 6 Mar 2023 12:10:19 -0600
+Subject: [PATCH] Allow systemd-journald list cgroup directories
+
+---
+ refpolicy/policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
+index abd61e6..08f77b5 100644
+--- a/refpolicy/policy/modules/system/logging.te
++++ b/refpolicy/policy/modules/system/logging.te
+@@ -500,6 +500,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+ 
+ fs_getattr_all_fs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
++fs_list_cgroup_dirs(syslogd_t)
+ 
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+ 
+-- 
+2.39.0
+
diff --git a/portage/patches/sec-policy/selinux-base/0005-Allow-systemd-to-create-directories.patch b/portage/patches/sec-policy/selinux-base/0005-Allow-systemd-to-create-directories.patch
new file mode 100644
index 0000000..5059391
--- /dev/null
+++ b/portage/patches/sec-policy/selinux-base/0005-Allow-systemd-to-create-directories.patch
@@ -0,0 +1,76 @@
+From bb58cbda2f45ee5d25b44dd256bd3de52bfcc3d8 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Fri, 10 Mar 2023 12:39:41 -0600
+Subject: [PATCH] Allow systemd to create directories
+
+This allows use of the `RuntimeDirectory`, `StateDirectory`, etc. unit
+settings.
+---
+ refpolicy/policy/modules/kernel/files.if | 18 ++++++++++++++++++
+ refpolicy/policy/modules/system/init.te  | 14 ++++++++++++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
+index f7217b2..9966a21 100644
+--- a/refpolicy/policy/modules/kernel/files.if
++++ b/refpolicy/policy/modules/kernel/files.if
+@@ -608,6 +608,24 @@ interface(`files_manage_non_security_dirs',`
+ 	allow $1 non_security_file_type:dir manage_dir_perms;
+ ')
+ 
++########################################
++## <summary>
++##	Allow attempts to setattr any directory
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_setattr_non_security_dirs',`
++	gen_require(`
++		attribute non_security_file_type;
++	')
++
++	allow $1 non_security_file_type:dir { read setattr };
++')
++
+ ########################################
+ ## <summary>
+ ##	Create non-security directories.
+diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
+index 97a75cf..7b44a43 100644
+--- a/refpolicy/policy/modules/system/init.te
++++ b/refpolicy/policy/modules/system/init.te
+@@ -37,6 +37,13 @@ gen_tunable(init_daemons_use_tty, false)
+ ## </desc>
+ gen_tunable(init_mounton_non_security, false)
+ 
++## <desc>
++## <p>
++## Enable init create, setattr, mounton on non_security_file_type
++## </p>
++## </desc>
++gen_tunable(init_create_dirs, true)
++
+ attribute init_mountpoint_type;
+ attribute init_path_unit_loc_type;
+ attribute init_script_domain_type;
+@@ -606,6 +613,13 @@ ifdef(`init_systemd',`
+ 		unconfined_create_keys(init_t)
+ 		unconfined_write_keys(init_t)
+ 	')
++
++	tunable_policy(`init_create_dirs',`
++	    files_create_non_security_dirs(init_t)
++	    files_mounton_non_security(init_t)
++	    files_setattr_non_security_dirs(init_t)
++	')
++
+ ',`
+ 	tunable_policy(`init_upstart',`
+ 		corecmd_shell_domtrans(init_t, initrc_t)
+-- 
+2.39.0
+
diff --git a/portage/profile/package.provided b/portage/profile/package.provided
new file mode 100644
index 0000000..8edbdcb
--- /dev/null
+++ b/portage/profile/package.provided
@@ -0,0 +1 @@
+app-admin/setools-4.4.0-r3
diff --git a/portage/savedconfig/sys-apps/busybox b/portage/savedconfig/sys-apps/busybox
index 378e46b..900dd76 100644
--- a/portage/savedconfig/sys-apps/busybox
+++ b/portage/savedconfig/sys-apps/busybox
@@ -32,7 +32,7 @@ CONFIG_FEATURE_SUID=y
 # CONFIG_FEATURE_SUID_CONFIG_QUIET is not set
 # CONFIG_FEATURE_PREFER_APPLETS is not set
 CONFIG_BUSYBOX_EXEC_PATH="/proc/self/exe"
-# CONFIG_SELINUX is not set
+CONFIG_SELINUX=y
 # CONFIG_FEATURE_CLEAN_UP is not set
 # CONFIG_FEATURE_SYSLOG_INFO is not set
 # CONFIG_FEATURE_SYSLOG is not set
@@ -1076,7 +1076,7 @@ CONFIG_SV_DEFAULT_SERVICE_DIR=""
 # CONFIG_SVC is not set
 # CONFIG_SVOK is not set
 # CONFIG_SVLOGD is not set
-# CONFIG_CHCON is not set
+CONFIG_CHCON=y
 # CONFIG_GETENFORCE is not set
 # CONFIG_GETSEBOOL is not set
 # CONFIG_LOAD_POLICY is not set
diff --git a/squashfs.exclude b/squashfs.exclude
index 61ccb9f..675e922 100644
--- a/squashfs.exclude
+++ b/squashfs.exclude
@@ -8,13 +8,27 @@ etc/conf.d
 etc/csh.env
 etc/init.d
 etc/portage
+etc/python-exec
 etc/runlevels
 usr/aarch64-unknown-linux-gnu
+usr/bin/2to3*
+usr/bin/audit2*
+usr/bin/chcat
+usr/bin/idle
+usr/bin/pydoc*
+usr/bin/python*
+usr/bin/pyvenv
+usr/bin/rlpkg
+usr/bin/semanage
+usr/bin/sepolgen*
+usr/bin/sepolicy
 usr/include
 usr/lib*/*.a
 usr/lib*/cmake
+usr/lib*/libpython*
 usr/lib*/pkgconfig
 usr/lib/kernel
+usr/lib/python*
 usr/lib/rpm
 usr/lib/udev/hwdb.d
 usr/local
@@ -23,10 +37,14 @@ usr/share/baselayout
 usr/share/bash-completion
 usr/share/doc
 usr/share/factory
+usr/share/gdb
 usr/share/info
+usr/share/locale/*/*/*python*
 usr/share/man
 usr/share/pkgconfig
 usr/share/polkit-1
+usr/share/portage
+usr/share/selinux/*/include
 usr/share/zsh
 var/cache/edb
 var/db/Makefile