Introduce SELinux policy module for kiwi

[Conan-Kudo]

This simple policy module ensures that the kiwi executable is labeled such that it works properly in SELinux enforcing mode.

[Conan-Kudo]

This is a fuller alternative to #2757 that lets us easily add more things in the future.

[schaefi]

Really nice, thanks for this work 👍 I'm pretty dumb regarding selinux policies. Would be great if we get some reviewer with knowledge in that area. Otherwise I'm perfectly fine adding it the way you did it because I believe you tested it to work :)

[ca-hu]

question: why add this as separate module here instead of in the fedora policy that is used by almost everyone? usually this only makes sense when the maintainers of the project are well-versed in selinux and can maintain this module long-term, otherwise you will run into more issues

also it is a bit odd that the module is reusing an existing type, usually modules define their own types and rules around their type

also: what exactly is breaking?

[Conan-Kudo]

question: why add this as separate module here instead of in the fedora policy that is used by basically everyone? usually this only makes sense when the maintainers of the project are well-versed in selinux and can maintain this module long-term, otherwise you will run into more issues

Well, I am well-versed in SELinux. I've done a fair bit of SELinux policy work over the years in both Fedora and openSUSE. And as a team, we do need to develop more skill with SELinux anyway, since not knowing how to deal with it is bad for us as an image build tool.

But there are two big reasons:

• We need this to work across all distributions and releases using SELinux. And some of those would not get a policy update with this for a long time (if ever).
• We need a "fast path" since kiwi releases much more frequently than the policy package.

This does not preclude contributing it into fedora-selinux, and that will probably happen down the road as this is firmed up.

also it is a bit odd that the module is reusing an existing type, usually modules define their own types and rules around their type

Yes, I will probably change to this approach, but I need to spend more time to write it.

[Conan-Kudo]

also: what exactly is breaking?

There have been requests from Fedora and CentOS to make kiwi work properly in SELinux enforcing mode as all the legacy image build tools in Fedora already do. After soliciting some advice from the OSBuild folks, I had identified an approach to resolve that problem. It also neatly resolves a problem nobody has yet noticed in openSUSE, in which you cannot build an image in SELinux enforcing mode.