Since a few days i'm playing around with spice. Eventually also on a selinux gentoo. However, in the first place it didn't work on such a system until i disable all security feature's with paxctl.
Right now the "spice-vdagent" executable looks like this, which works:
baltix ~ # paxctl -v /usr/bin/spice-vdagent
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <firstname.lastname@example.org>
- PaX flags: -p-s-m-x-e-r [/usr/bin/spice-vdagent]
PAGEEXEC is disabled
SEGMEXEC is disabled
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled
RANDMMAP is disabled
However, i also just play around with selinux and i guess such changes to executables are usually handled with the "selinux" useflag (which is not present right now) and therefore with policies.
I also search the web for such an policy and found that  but unfortunately i don't know how to implement new policies so i hope someone can add one :)
I couldn't immediately find a reference in that bug where the policy itself is at, but refpolicy already holds a policy for vdagent (which I believe is the same thing, not?)
However, that policy confined the spice-vdagentd (daemon), whereas your path looks like a client-side package. In any case, I'll add in selinux-vdagent to support the daemon to start with.
rev4 is in hardened-dev overlay, which includes the selinux-vdagent policy. When it hits the main tree, I'll also add in the dependency on splace towards this policy (can't do it sooner for obvious reasons).
In main tree, ~arch'ed (rev 5)