logwatch: fixes for logwatch

* Allow logwatch_t to getsched
* Allow logwatch_t to create logwatch_lock_t dirs
* Allow logwatch_mail_t to read/write pipe of crond

Fixes:
avc:  denied  { getsched } for  pid=1012 comm="sort"
scontext=system_u:system_r:logwatch_t:s0-s15:c0.c1023
tcontext=system_u:system_r:logwatch_t:s0-s15:c0.c1023 tclass=process
permissive=0

avc:  denied  { write } for  pid=269 comm="lockfile-create"
name="logcheck" dev="tmpfs" ino=12709
scontext=system_u:system_r:logwatch_t:s0-s15:c0.c1023
tcontext=system_u:object_r:logwatch_lock_t:s0 tclass=dir permissive=0

avc:  denied  { write } for  pid=1470 comm="sendmail"
path="pipe:[15133]" dev="pipefs" ino=15133
scontext=system_u:system_r:logwatch_mail_t:s0-s15:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tclass=fifo_file
permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>

policy/modules/admin/logwatch.te

@@ -38,14 +38,14 @@ role system_r types logwatch_mail_t;
 #
 
 allow logwatch_t self:capability { dac_override dac_read_search setgid };
-allow logwatch_t self:process signal;
+allow logwatch_t self:process { signal getsched };
 allow logwatch_t self:fifo_file rw_fifo_file_perms;
 allow logwatch_t self:unix_stream_socket { accept listen };
 
 manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
 manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
 
-allow logwatch_t logwatch_lock_t:file manage_file_perms;
+manage_files_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t)
 files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
 
 manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
@@ -191,4 +191,5 @@ logging_read_all_logs(logwatch_mail_t)
 optional_policy(`
 	cron_use_system_job_fds(logwatch_mail_t)
 	cron_rw_system_job_pipes(logwatch_mail_t)
+	cron_rw_pipes(logwatch_mail_t)
 ')