docs: add SELinux page for RHEL 8/9 standalone and private-node workers

[janekbaraniewski]

Summary

Adds vcluster/deploy/worker-nodes/private-nodes/security/selinux.mdx — the RHEL-on-SELinux story for vCluster Standalone and Private Node workers. Covers:

• What the vcluster-selinux RPM does and the isolation boundary it establishes (vcluster_data_t for host PKI/DB, container_runtime_t for the vCluster binary, container_t blocked from both).
• Install paths on RHEL 8 and RHEL 9: default auto-install from rpm.vcluster.com, --containerd-selinux for tenant-pod MCS labels, offline / custom-mirror install via --selinux-rpm-url, image-bake + --skip-selinux-rpm, and fully manual yum-repo install.
• The RHEL 8 Kubernetes 1.31 pin — el8 ships glibc 2.28 and can't load the default k8s 1.35 bundle's containerd, so the standalone needs controlPlane.distro.k8s.version: v1.31.11. Full vcluster.yaml snippet in the page.
• Verification, upgrade via dnf update, uninstall, and troubleshooting for the common AVC patterns (entrypoint fails to exec, missing .fc entry for a new binary, flannel fcontext override cleanup).

Also removes the stale "SELinux currently not supported" warning on both node-requirements pages (vcluster/deploy/worker-nodes/private-nodes/node-requirements.mdx and vcluster/deploy/control-plane/binary/node-requirements.mdx), updates the RHEL 8/9/10 rows to reflect reality, and tidies a handful of pre-existing vale warnings on those files. Adds vcluster-selinux and rpm.vcluster.com to the Loft vale vocab.

Scope: RHEL 8 and RHEL 9 ship the vcluster-selinux RPM. RHEL 10 isn't covered yet — loft-sh/vcluster-selinux has policy/el8 and policy/el9 trees but no policy/el10, so the installer exits non-zero on enforcing RHEL 10 and the table row points users at setenforce 0.

Test plan

• npm run build — clean.
• vale vcluster/deploy/worker-nodes/private-nodes/security/selinux.mdx — 0 errors, 0 warnings.
• Every command in the page exercised on a fresh Rocky Linux 9 VM on GCP via cloud-init — 36/36 assertions green, zero scoped AVCs during install, node Ready, dnf remove unloads the module and removes the flannel fcontext override.
• RHEL 10 behavior verified on a fresh Rocky Linux 10.1 VM — enforcing install fails (no el10 RPM, installer exits before dropping binaries), setenforce 0 + rerun installer reaches node Ready.
• RHEL 8 with the k8s 1.31 pin — Jan is running the Rocky 8 verification.
• Human review of tone/voice.

Closes DOC-713

[netlify]

✅ Deploy Preview for vcluster-docs-site ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	7081003
🔍 Latest deploy log	https://app.netlify.com/projects/vcluster-docs-site/deploys/69eb99712f6c9400084eb69b
😎 Deploy Preview	https://deploy-preview-2005--vcluster-docs-site.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[github-actions]

DOC-713: External docs for SELinux support for Private Nodes