this is a replication of https://bugs.gentoo.org/691428
IMPORTANT - why SELinux sandbox support was dropped by gentoo few years ago:
- http://blog.siphos.be/2016/09/we-do-not-ship-selinux-sandbox/
- http://blog.siphos.be/2014/05/dropping-sesandbox-support/
RedHat point of view on SELinux sandbox
my plan is to:
1. introduce new `sesanbox` use flag https://github.com/gentoo/gentoo/blob/57443662e1200e6a2841cfebc4ca8e87cd8a1b39/sys-apps/policycoreutils/policycoreutils-9999.ebuild#L18
2. parametrize this variables:
- https://github.com/gentoo/gentoo/blob/57443662e1200e6a2841cfebc4ca8e87cd8a1b39/sys-apps/policycoreutils/policycoreutils-9999.ebuild#L114
- https://github.com/gentoo/gentoo/blob/57443662e1200e6a2841cfebc4ca8e87cd8a1b39/sys-apps/policycoreutils/policycoreutils-9999.ebuild#L133
3. and then introduce new ebuild for https://github.com/SELinuxProject/selinux/tree/master/sandbox which will be pulled by `policycoreutils` if `sesandbox` useflag is present
this was not yet discussed with @perfinion from #gentoo-hardened