feat: add necessary SELinux allow rules

[dsseng]

Pull Request

What? (description)

Initial SELinux support

Why? (reasoning)

Improve security, #8016

Acceptance

Please use the following checklist:

• you linked an issue (if applicable)
• you included tests (if applicable)
• you ran conformance (make conformance)
• you formatted your code (make fmt)
• you linted your code (make lint)
• you generated documentation (make docs)
• you ran unit-tests (make unit-tests)

See make help for a description of the available targets.

Tip: to debug denials in QEMU:

secilc -c 33 selinux/**/*.cil -vvvvv && PYTHONPATH=/tmp/selinux/python/sepolgen/src python3 /tmp/selinux/python/audit2allow/audit2allow -i /tmp/tl-test-home/.talos/clusters/talos-default/talos-default-controlplane-1.log -C -p /tmp/talos/policy.33 > /tmp/audit2allow.cil && PYTHONPATH=/tmp/selinux/python/sepolgen/src python3 /tmp/selinux/python/audit2allow/audit2allow -i /tmp/tl-test-home/.talos/clusters/talos-default/talos-default-controlplane-1.log -C -p /tmp/talos/policy.33 -e > /tmp/audit2allow-explain.cil

[dsseng]

Current AVC denials:

;============= pod_containerd_t ==============
; audit(1729973459.178:75):
;  scontext="client_u:client_r:pod_containerd_t:s0" tcontext="system_u:object_r:bin_t:s0"
;  class="file" perms="execute_no_trans"
;  comm="portmap" exe="" path=""
;  message="[    8.620880] audit: type=1400 audit(1729973459.178:75): avc:
;   denied  { execute_no_trans } for  pid=2217 comm="portmap"
;   path="/sbin/xtables-legacy-multi" dev="loop0" ino=580
;   scontext=client_u:client_r:pod_containerd_t:s0
;   tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 "
; audit(1729973494.435:94):
;  scontext="client_u:client_r:pod_containerd_t:s0" tcontext="system_u:object_r:bin_t:s0"
;  class="file" perms="execute_no_trans"
;  comm="portmap" exe="" path=""
;  message="[   43.805129] audit: type=1400 audit(1729973494.435:94): avc:
;   denied  { execute_no_trans } for  pid=2504 comm="portmap"
;   path="/sbin/xtables-legacy-multi" dev="loop0" ino=580
;   scontext=client_u:client_r:pod_containerd_t:s0
;   tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 "
(allow pod_containerd_t bin_t (file (execute_no_trans)))

;============= udev_rules_t ==============
; audit(1729973454.016:47):
;  scontext="system_u:object_r:udev_rules_t:s0" tcontext="system_u:object_r:fs_t:s0"
;  class="filesystem" perms="associate"
;  comm="init" exe="" path=""
;  message="[    3.464284] audit: type=1400 audit(1729973454.016:47): avc:
;   denied  { associate } for  pid=1 comm="init" name="99-talos.rules"
;   scontext=system_u:object_r:udev_rules_t:s0 tcontext=system_u:object_r:fs_t:s0
;   tclass=filesystem permissive=1 "
(allow udev_rules_t fs_t (filesystem (associate)))
; audit(1729973454.016:47):
;  scontext="system_u:object_r:udev_rules_t:s0" tcontext="system_u:object_r:tmpfs_t:s0"
;  class="filesystem" perms="associate"
;  comm="init" exe="" path=""
;  message="[    3.465198] audit: type=1400 audit(1729973454.016:47): avc:
;   denied  { associate } for  pid=1 comm="init" name="#b"
;   scontext=system_u:object_r:udev_rules_t:s0
;   tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 "
(allow udev_rules_t tmpfs_t (filesystem (associate)))

;============= udev_t ==============
; audit(1729973451.628:43):
;  scontext="system_u:system_r:udev_t:s0" tcontext="system_u:object_r:udevadm_exec_t:s0"
;  class="file" perms="entrypoint"
;  comm="wrapperd" exe="" path=""
;  message="[    1.068557] audit: type=1400 audit(1729973451.628:43): avc:
;   denied  { entrypoint } for  pid=1059 comm="wrapperd" path="/usr/bin/udevadm"
;   dev="loop0" ino=587 scontext=system_u:system_r:udev_t:s0
;   tcontext=system_u:object_r:udevadm_exec_t:s0 tclass=file permissive=1 "
(allow udev_t udevadm_exec_t (file (entrypoint)))