### Tasks
- [ ] Figure out which binaries can be ran by init and udev, add necessary SELinux rules - _Originally posted by @frezbo in https://github.com/siderolabs/talos/pull/9617#discussion_r1825640385_
- [ ] label static pods
- [ ] Ensure netlink is secured
- [ ] label libraries
- [ ] only enable on new installs unless otherwise supported
- [ ] relabel and update flow (enable SELinux if AppArmor is not enabled, relabel existing volumes)
- [ ] Have some policy similar to `setsebool secure_mode_policyload on`