SELinux: Allow Podman to mount /dev/log

These SELinux policy rules allow containers to log directly to
syslog/the systemd journal via the `/dev/log` socket.  To enable this,
simply mount the socket into a container's mount namespace, e.g. `-v
/dev/log:/dev/log`.

repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te

@@ -247,3 +247,13 @@ optional_policy(`
 	files_relabel_non_security_dirs(podman_t)
 	files_relabel_non_security_files(podman_t)
 ')
+
+# Allow podman to mount /dev/log in containers
+optional_policy(`
+	gen_require(`
+		type podman_t, container_t;
+		type devlog_t;
+	')
+	allow podman_t devlog_t:sock_file mounton;
+	logging_send_syslog_msg(container_t)
+')