Allow container runtimes to launch unconfined_t processes

We want to allow

Trying to pull registry.fedoraproject.org/fedora...
Getting image source signatures
Copying blob 1657ffead824 [--------------------------------------] 0.0b / 0.0b
Copying config eb7134a03c done
Writing manifest to image destination
Storing signatures
system_u:system_r:unconfined_t:s0:c186,c823

Signed-off-by: Daniel J Walsh <[email protected]>

Author: rhatdan

container.te

@@ -1,4 +1,4 @@
-policy_module(container, 2.134.0)
+policy_module(container, 2.135.0)
 gen_require(`
 	class passwd rootok;
 ')
@@ -541,6 +541,9 @@ optional_policy(`
 	allow container_runtime_domain unconfined_t:fifo_file setattr;
 	allow unconfined_t container_domain:process dyntransition;
 	allow unconfined_t unlabeled_t:key manage_key_perms;
+	allow container_runtime_t unconfined_t:process transition;
+	allow unconfined_t { container_var_lib_t container_ro_file_t }:file entrypoint;
+	fs_fusefs_entrypoint(unconfined_t)
 ')
 
 optional_policy(`