sudo: allow using CAP_KILL for SIGWINCH

With the following process tree:

    LABEL                           UID    PID  PPID  TTY   CMD
    sysadm_u:sysadm_r:sysadm_t      root  18146 12404 pts/0 /usr/bin/zsh
    sysadm_u:sysadm_r:sysadm_sudo_t root  18441 18146 pts/0 sudo -su user
    sysadm_u:sysadm_r:sysadm_sudo_t root  18443 18441 pts/1 sudo -su user
    sysadm_u:sysadm_r:sysadm_t      user  18444 18443 pts/1 /usr/bin/zsh

When the terminal window of the first process is resized, SIGWINCH is
forwarded by process 18443, which requests capability CAP_KILL:

    type=AVC msg=audit(1567881640.754:13839): avc:  denied  { kill } for
    pid=18443 comm="sudo" capability=5
    scontext=sysadm_u:sysadm_r:sysadm_sudo_t
    tcontext=sysadm_u:sysadm_r:sysadm_sudo_t tclass=capability
    permissive=0

    type=SYSCALL msg=audit(1567881640.754:13839): arch=c000003e
    syscall=62 success=no exit=-1 a0=ffffb7f4 a1=1c a2=ffffffff a3=100
    items=0 ppid=18441 pid=18443 auid=1000 uid=0 gid=1000 euid=0 suid=0
    fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=690 comm="sudo"
    exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null)

    type=PROCTITLE msg=audit(1567881640.754:13839):
    proctitle=7375646F002D73750075736572

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

policy/modules/admin/sudo.if

@@ -52,7 +52,7 @@ template(`sudo_role_template',`
 	#
 
 	# Use capabilities.
-	allow $1_sudo_t self:capability { chown dac_override fowner setgid setuid sys_nice sys_resource };
+	allow $1_sudo_t self:capability { chown dac_override fowner kill setgid setuid sys_nice sys_resource };
 	allow $1_sudo_t self:process { signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr getrlimit rlimitinh siginh transition setsockcreate dyntransition noatsecure setkeycreate };
 	allow $1_sudo_t self:process { setexec setrlimit };
 	allow $1_sudo_t self:fd use;