systemd: Drop unconfined kernel access for systemd_nspawn.

Revise kernel assertion to /proc/kmsg to be more precise.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>

policy/modules/kernel/kernel.te

@@ -84,7 +84,7 @@ genfscon proc /fs/openafs gen_context(system_u:object_r:proc_afs_t,s0)
 # kernel message interface
 type proc_kmsg_t, proc_type;
 genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
-neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
+neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file read;
 
 # /proc kcore: inaccessible
 type proc_kcore_t, proc_type;

policy/modules/system/systemd.te

@@ -745,7 +745,6 @@ kernel_mounton_sysctl_dirs(systemd_nspawn_t)
 kernel_read_kernel_sysctls(systemd_nspawn_t)
 kernel_read_system_state(systemd_nspawn_t)
 kernel_remount_proc(systemd_nspawn_t)
-kernel_unconfined(systemd_nspawn_t)
 
 corecmd_exec_shell(systemd_nspawn_t)
 corecmd_search_bin(systemd_nspawn_t)