data/selinux: update the policy to allow s-c to manipulate BPF map and programs

[bboozzoo]

Update the SELinux policy. The bpffs is mounted at /sys/fs/bpf, so we need permissions to list/read /sys. On top of this, there's separate permissions to manipulate files in bpffs, and bpf related capabilities.

[stolowski]

LGTM, thank you! Suggested one typo fix.

[stolowski]

Suggested change

	# when managing cgroup v2 snap-confines creates BPF map and attaches a BPF
	# when managing cgroup v2 snap-confine creates BPF map and attaches a BPF

[codecov-commenter]

Codecov Report

Merging #10802 (4258876) into master (6efac1b) will increase coverage by 0.00%.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master   #10802   +/-   ##
=======================================
  Coverage   78.33%   78.33%           
=======================================
  Files         890      890           
  Lines      100198   100231   +33     
=======================================
+ Hits        78486    78519   +33     
  Misses      16793    16793           
  Partials     4919     4919           

Flag	Coverage Δ
unittests	78.33% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
asserts/snapasserts/validation_sets.go	97.24% <0.00%> (-1.82%)	⬇️
overlord/snapstate/storehelpers.go	78.41% <0.00%> (-0.82%)	⬇️
overlord/snapstate/snapstate.go	81.15% <0.00%> (+0.13%)	⬆️
overlord/ifacestate/handlers.go	64.92% <0.00%> (+0.14%)	⬆️
overlord/ifacestate/helpers.go	77.52% <0.00%> (+0.49%)	⬆️
overlord/hookstate/hookmgr.go	74.83% <0.00%> (+0.66%)	⬆️
cmd/snap/main.go	67.24% <0.00%> (+1.35%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6efac1b...4258876. Read the comment docs.

[mvo5]

Thank you

[mardy]

I understand very little of selinux, but LGTM :-D