selinux: Allow domtrans from kernel_t to drbd_t

/usr/lib/drbd/crm-fence-peer.9.sh is labelled drbd_exec_t, however
the domain lands in kernel_generic_helper_t as it is not allowed
to transition from kernel_t to drbd_t.

Additionally, when the domtrans succeeds, crm-fence-peer.9.sh
will create entries in /proc with drbd_t label, so allowing that.

Author: ca-hu

selinux/drbd.te

@@ -50,6 +50,7 @@ require {
 #============= drbd_t ==============
 allow drbd_t self:capability { dac_read_search  kill net_admin sys_admin };
 dontaudit drbd_t self:capability sys_tty_config;
+allow drbd_t self:dir rw_dir_perms;
 allow drbd_t self:fifo_file rw_fifo_file_perms;
 allow drbd_t self:unix_stream_socket create_stream_socket_perms;
 allow drbd_t self:netlink_socket create_socket_perms;
@@ -72,6 +73,7 @@ manage_dirs_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
 manage_files_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t)
 files_tmp_filetrans(drbd_t, drbd_tmp_t, {file dir})
 
+kernel_domtrans_to(drbd_t, drbd_exec_t)
 kernel_read_system_state(drbd_t)
 kernel_load_module(drbd_t)
 
@@ -91,6 +93,7 @@ files_read_kernel_modules(drbd_t)
 
 logging_send_syslog_msg(drbd_t)
 
+fs_associate_proc(drbd_t)
 fs_getattr_xattr_fs(drbd_t)
 
 modutils_read_module_config(drbd_t)