SELinux: Add rules for user_tpm_t:sockfile to allow unlink

With a memoryBacking node added to the libvirt domain XML, the unlink
permission on user_tmp_t:sockfile becomes necessary to avoid an avc
denial.

  <currentMemory unit='KiB'>2097152</currentMemory>
  <memoryBacking>
    <hugepages>
      <page size='2048' unit='KiB'/>
    </hugepages>
  </memoryBacking>

Also add the unlink permission to the other occurrences of sock_file.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2165142
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

src/selinux/swtpm_svirt.te

@@ -15,7 +15,7 @@ swtpm_domtrans(svirt_tcg_t)
 #============= svirt_t ==============
 allow svirt_t virtd_t:fifo_file { read write };
 allow svirt_t virtd_t:process sigchld;
-allow svirt_t user_tmp_t:sock_file { create setattr };
+allow svirt_t user_tmp_t:sock_file { create setattr unlink };
 allow svirt_t swtpm_exec_t:file { entrypoint map };
 # libvirt specific rules needed on F28
 allow svirt_t virtd_t:unix_stream_socket { read write getopt getattr accept };
@@ -25,10 +25,10 @@ allow svirt_t virt_var_run_t:file { create getattr open read unlink write };
 allow svirt_t virt_var_run_t:sock_file { create setattr };
 
 allow svirt_tcg_t virtd_t:fifo_file { write read };
-allow svirt_tcg_t virt_var_run_t:sock_file { create setattr };
+allow svirt_tcg_t virt_var_run_t:sock_file { create setattr unlink };
 allow svirt_tcg_t virt_var_run_t:file { create getattr open read unlink write };
 allow svirt_tcg_t virt_var_run_t:dir { write add_name remove_name };
 allow svirt_tcg_t swtpm_exec_t:file { entrypoint map };
-allow svirt_tcg_t user_tmp_t:sock_file { create setattr };
+allow svirt_tcg_t user_tmp_t:sock_file { create setattr unlink };
 # libvirt specific rules needed on F28
 allow svirt_tcg_t virtd_t:unix_stream_socket { read write getopt getattr accept };