diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sec-policy/selinux-base b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sec-policy/selinux-base
new file mode 100644
index 0000000000..b94efbdd1d
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sec-policy/selinux-base
@@ -0,0 +1,2 @@
+PKG_INSTALL_MASK+=" /etc/selinux/config"
+INSTALL_MASK+=" /etc/selinux/config"
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/0001-policy-modules-kernel-all-more-actions-for-kernel.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
new file mode 100644
index 0000000000..883720831e
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
@@ -0,0 +1,16 @@
+diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
+index 56dbd5af5..b5cf0e3c0 100644
+--- a/refpolicy/policy/modules/kernel/kernel.te
++++ b/refpolicy/policy/modules/kernel/kernel.te
+@@ -363,6 +363,11 @@ files_list_home(kernel_t)
+ files_read_usr_files(kernel_t)
+ 
+ mcs_process_set_categories(kernel_t)
++mcs_killall(kernel_t)
++mcs_file_read_all(kernel_t)
++mcs_file_write_all(kernel_t)
++mcs_ptrace_all(kernel_t)
++allow kernel_t self:user_namespace create;
+ 
+ mls_process_read_all_levels(kernel_t)
+ mls_process_write_all_levels(kernel_t)
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/files-relabel.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/files-relabel.patch
new file mode 100644
index 0000000000..dd1090a7ab
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/files-relabel.patch
@@ -0,0 +1,44 @@
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 495cbe2f4..a5605f866 100644
+--- a/refpolicy/policy/modules/kernel/files.if
++++ b/refpolicy/policy/modules/kernel/files.if
+@@ -7892,3 +7892,39 @@ interface(`files_unconfined',`
+
+ 	typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++## <summary>
++##	Relabel all files on the filesystem, except
++##	policy_config_t and exceptions.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="exception_types" optional="true">
++##	<summary>
++##	The types to be excluded.  Each type or attribute
++##	must be negated by the caller.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_relabel_all_non_policy_files',`
++	gen_require(`
++		attribute file_type;
++		type policy_config_t;
++	')
++
++	allow $1 { file_type -policy_config_t $2 }:dir list_dir_perms;
++	relabel_dirs_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_lnk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_fifo_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_sock_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	# this is only relabelfrom since there should be no
++	# device nodes with file types.
++	relabelfrom_blk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabelfrom_chr_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++')
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/icmp-bind.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/icmp-bind.patch
new file mode 100644
index 0000000000..1b4bb31467
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/icmp-bind.patch
@@ -0,0 +1,40 @@
+diff -u -r refpolicy/policy/modules/kernel/corenetwork.if.in refpolicy2/policy/modules/kernel/corenetwork.if.in
+--- a/refpolicy/policy/modules/kernel/corenetwork.if.in	2022-01-12 16:59:47.572670384 -0000
++++ b/refpolicy2/policy/modules/kernel/corenetwork.if.in	2022-01-12 17:01:54.974858982 -0000
+@@ -879,6 +879,24 @@
+
+ ########################################
+ ## <summary>
++##	Bind ICMP sockets to generic nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_icmp_bind_generic_node',`
++	gen_require(`
++		type node_t;
++	')
++
++	allow $1 node_t:icmp_socket node_bind;
++')
++
++########################################
++## <summary>
+ ##	Bind TCP sockets to generic nodes.
+ ## </summary>
+ ## <desc>
+diff -u -r refpolicy/policy/modules/kernel/corenetwork.te.in refpolicy2/policy/modules/kernel/corenetwork.te.in
+--- a/refpolicy/policy/modules/kernel/corenetwork.te.in	2022-01-12 16:59:47.573670362 -0000
++++ b/refpolicy2/policy/modules/kernel/corenetwork.te.in	2022-01-12 17:03:12.754142616 -0000
+@@ -373,7 +373,7 @@
+
+ # Bind to any network address.
+ allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind;
+-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
++allow corenet_unconfined_type node_type:{ icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
+
+ # Infiniband
+ corenet_ib_access_all_pkeys(corenet_unconfined_type)