sec-policy/selinux-*: Two small updates

Ensure that containers can append to fifos so stderr works under Docker,
and quieten wake_alarm AVCs.

sec-policy/selinux-base/files/kernel_mcs.diff

@@ -1,7 +1,7 @@
 diff -ur refpolicy.orig/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
 --- refpolicy.orig/policy/modules/kernel/kernel.te	2015-06-24 14:05:01.160318849 -0700
 +++ refpolicy/policy/modules/kernel/kernel.te	2015-06-24 14:06:23.468516424 -0700
-@@ -442,3 +442,8 @@
+@@ -442,3 +442,9 @@
  	#dev_manage_all_dev_nodes(kernel_t)
  	dev_setattr_generic_chr_files(kernel_t)
  ')
@@ -10,3 +10,4 @@ diff -ur refpolicy.orig/policy/modules/kernel/kernel.te refpolicy/policy/modules
 +mcs_file_write_all(kernel_t)
 +mcs_process_set_categories(kernel_t)
 +mcs_ptrace_all(kernel_t)
++allow kernel_t self:capability2 wake_alarm;

sec-policy/selinux-virt/files/virt.diff

@@ -32,5 +32,5 @@ diff -u contrib.orig/virt.te contrib/virt.te
 +allow svirt_lxc_net_t self:process getpgid;
 +allow svirt_lxc_net_t svirt_lxc_file_t:file { entrypoint mounton };
 +allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans };
-+allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open };
++allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open append };
 +