Introduce domain_no_new_privs boolean (bsc#1253047)

Allows all domains to do nnp_transition when executing
another process.

This is needed for tools that disallow setuid/setgid binaries
e.g. https://github.com/thkukuk/account-utils and use NoNewPrivs
to accomplish that

default: off

see also: https://docs.kernel.org/userspace-api/no_new_privs.html

Author: ca-hu

policy/modules/kernel/domain.te

@@ -12,6 +12,14 @@ policy_module(domain, 1.11.0)
 #
 gen_tunable(domain_fd_use, true)
 
+## <desc>
+## <p>
+## Allow all domains to set NoNewPrivs
+## </p>
+## </desc>
+#
+gen_tunable(domain_no_new_privs, false)
+
 ## <desc>
 ## <p>
 ## Allow all domains to execute in fips_mode
@@ -209,6 +217,10 @@ tunable_policy(`domain_can_mmap_files',`
     allow domain file_type:lnk_file map;
 ')
 
+tunable_policy(`domain_no_new_privs',`
+    allow domain self:process2 { nnp_transition nosuid_transition };
+')
+
 ifdef(`hide_broken_symptoms',`
 	# This check is in the general socket
 	# listen code, before protocol-specific