devices: label /dev/sysdig0

`sysdig` is a tool that enables introspecting the system, debugging it,
etc. It uses a driver that creates `/dev/sysdig0`. Define a specific
label in order to be able to allow using it.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

policy/modules/kernel/devices.fc

@@ -113,6 +113,7 @@
 /dev/snapshot		-c	gen_context(system_u:object_r:acpi_bios_t,s0)
 /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/sysdig[0-9]	-c	gen_context(system_u:object_r:sysdig_device_t,s0)
 /dev/tee[0-9]		-c	gen_context(system_u:object_r:tee_device_t,s0)
 /dev/teepriv[0-9]	-c	gen_context(system_u:object_r:tee_priv_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)

policy/modules/kernel/devices.if

@@ -4176,6 +4176,25 @@ interface(`dev_manage_smartcard',`
 	manage_chr_files_pattern($1, device_t, smartcard_device_t)
 ')
 
+########################################
+## <summary>
+##	Read, write and map the sysdig device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_sysdig',`
+	gen_require(`
+		type device_t, sysdig_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, sysdig_device_t)
+	allow $1 sysdig_device_t:chr_file map;
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on sysfs.

policy/modules/kernel/devices.te

@@ -255,6 +255,12 @@ dev_node(smartcard_device_t)
 type sound_device_t;
 dev_node(sound_device_t)
 
+#
+# Type for sysdig device
+#
+type sysdig_device_t;
+dev_node(sysdig_device_t)
+
 #
 # sysfs_t is the type for the /sys pseudofs
 #