minor nspawn, dnsmasq, and mon patches

Label some shell scripts from bridge-utils correctly.  Maybe have ifdef
distro_debian around this, not sure what upstream is doing.

systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a
labeled chroot.

Another dontaudit for mon_local_test_t to stop it spamming the logs.

Support a .d directory for dnsmasq config files.

policy/modules/kernel/corecommands.fc

@@ -165,6 +165,7 @@ ifdef(`distro_gentoo',`
 
 /usr/lib/at-spi2-core(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/avahi/avahi-daemon-check-dns\.sh	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/bridge-utils/.*\.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/dhcpcd/dhcpcd-hooks(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/dhcpcd/dhcpcd-run-hooks --	gen_context(system_u:object_r:bin_t,s0)

policy/modules/system/systemd.te

@@ -626,8 +626,10 @@ tunable_policy(`systemd_nspawn_labeled_namespace',`
 	dev_mounton(systemd_nspawn_t)
 	dev_setattr_generic_dirs(systemd_nspawn_t)
 
-	files_search_home(systemd_nspawn_t)
+	# manage etc symlinks for /etc/localtime
+	files_manage_etc_symlinks(systemd_nspawn_t)
 	files_mounton_pid_dirs(systemd_nspawn_t)
+	files_search_home(systemd_nspawn_t)
 
 	fs_getattr_cgroup(systemd_nspawn_t)
 	fs_manage_cgroup_dirs(systemd_nspawn_t)

policy/modules/system/userdomain.if

@@ -2866,6 +2866,25 @@ interface(`userdom_read_user_tmpfs_files',`
 	fs_search_tmpfs($1)
 ')
 
+########################################
+## <summary>
+##	dontaudit Read attempts of user tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_user_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	dontaudit $1 user_tmpfs_t:file read_file_perms;
+	dontaudit $1 user_tmpfs_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	relabel to/from user tmpfs dirs