Allow NetworkManager and wpa_supplicant the bpf capability

Linux Socket Filtering (LSF) is derived from the Berkeley Packet Filter
and uses the same mechanism to allow a user-space program to attach a
filter onto any socket and allow or disallow certain types of data to
come through the socket.
Both NetworkManager and wpa_supplicant, running in the same domain,
want to listen only to related network events, so they need to set
a filter for which the bpf capability is required.

Addresses the following AVC denial:
type=PROCTITLE msg=audit(10/23/2022 19:29:47.030:1673) : proctitle=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -s
type=AVC msg=audit(10/23/2022 19:29:47.030:1673) : avc:  denied  { bpf } for  pid=1637 comm=wpa_supplicant capability=bpf  scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability2 permissive=0
type=SYSCALL msg=audit(10/23/2022 19:29:47.030:1673) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0xc a1=SOL_SOCKET a2=SO_ATTACH_FILTER a3=0x55f15ed093a0 items=0 ppid=1 pid=1637 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant subj=system_u:system_r:NetworkManager_t:s0 key=(null)

Resolves: rhbz#2137085

policy/modules/contrib/networkmanager.te

@@ -78,6 +78,7 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
 # and it receives a unexpected signal (rh bug #204161)
 allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_read_search dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot };
 dontaudit NetworkManager_t self:capability sys_tty_config;
+allow NetworkManager_t self:capability2 bpf;
 
 allow NetworkManager_t self:bpf { map_create map_read map_write prog_load prog_run };