selinuxutil: allow setfiles to read semanage store

commit a7334eb0de98af11ec38b6263536fa01bc2a606c
libsemanage: validate and compile file contexts before installing

validates the fcontexts when they are still in /var/lib/selinux. Without
setfiles_t having access to read the files, validation fails and the
policy cannot be updated.

policy/modules/system/selinuxutil.if

@@ -1099,6 +1099,29 @@ interface(`seutil_run_semanage',`
 	roleattribute $2 semanage_roles;
 ')
 
+########################################
+## <summary>
+##	Read the semanage module store.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_read_module_store',`
+	gen_require(`
+		type selinux_config_t, semanage_store_t;
+	')
+
+	files_search_etc($1)
+	files_search_var($1)
+	list_dirs_pattern($1, selinux_config_t, semanage_store_t)
+	list_dirs_pattern($1, semanage_store_t, semanage_store_t)
+	read_files_pattern($1, semanage_store_t, semanage_store_t)
+	read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
+')
+
 ########################################
 ## <summary>
 ##	Full management of the semanage

policy/modules/system/selinuxutil.te

@@ -589,6 +589,7 @@ logging_send_syslog_msg(setfiles_t)
 miscfiles_read_localization(setfiles_t)
 
 seutil_libselinux_linked(setfiles_t)
+seutil_read_module_store(setfiles_t)
 
 userdom_use_all_users_fds(setfiles_t)
 # for config files in a home directory