Add new setup test to packit which checking AVC

Add new setup test to packit which checking AVC.
Also add local dontaudit module to hide AVC, which
are not related with keylime. Allow for keylime domain attribute
execute gpg in the caller domain.

Author: Koncpa

keylime.te

@@ -61,6 +61,10 @@ userdom_exec_user_tmp_files(keylime_domain)
 userdom_manage_user_tmp_dirs(keylime_domain)
 userdom_manage_user_tmp_files(keylime_domain)
 
+optional_policy(`
+        gpg_exec(keylime_domain)
+')
+
 ########################################
 #
 # keylime server policy
@@ -74,10 +78,6 @@ manage_files_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
 
 fs_rw_inherited_tmpfs_files(keylime_server_t)
 
-optional_policy(`
-        gpg_exec(keylime_server_t)
-')
-
 optional_policy(`
         kerberos_read_config(keylime_server_t)
         kerberos_read_keytab(keylime_server_t)

local_dontaudit.te

@@ -0,0 +1,13 @@
+policy_module(local_dontaudit, 1.0)
+require {
+type systemd_gpt_generator_t;
+type syslogd_t;
+type var_log_t;
+type fixed_disk_device_t;
+}
+
+
+
+dontaudit syslogd_t var_log_t:file { relabelfrom relabelto };
+dontaudit systemd_gpt_generator_t systemd_gpt_generator_t:capability sys_admin;
+dontaudit systemd_gpt_generator_t fixed_disk_device_t:blk_file write;

packit-ci.fmf

@@ -17,6 +17,8 @@
      - semodule -i keylime.pp
      - restorecon -R /usr/bin/ /usr/local/bin/ /var/lib/ /var/log/
      - rm -f /etc/yum.repos.d/tag-repository.repo
+     - make -f /usr/share/selinux/devel/Makefile local_dontaudit.pp
+     - semodule -i local_dontaudit.pp
 
   discover:
     how: fmf
@@ -30,6 +32,7 @@
      - /functional/basic-attestation-on-localhost
      # now change IMA policy to signing and run all tests
      - /setup/configure_kernel_ima_module/ima_policy_signing
+     - /setup/inject_SELinux_AVC_check
      - /functional/basic-attestation-on-localhost
      - /functional/basic-attestation-with-custom-certificates
      - /functional/basic-attestation-with-ima-signatures