setroubleshoot has a plugin that checks the file context on disk versus a matchpathcon. So needs additional privs

Changelog

@@ -1,3 +1,4 @@
+- Patch for setroubleshoot for validating file contexts from Dan Walsh.
 - Patch for gssd fixes from Dan Walsh.
 - Patch for lvm fixes from Dan Walsh.
 - Patch for ricci fixes from Dan Walsh.

policy/modules/services/setroubleshoot.te

@@ -1,5 +1,5 @@
 
-policy_module(setroubleshoot,1.2.1)
+policy_module(setroubleshoot,1.2.2)
 
 ########################################
 #
@@ -74,8 +74,10 @@ domain_dontaudit_search_all_domains_state(setroubleshootd_t)
 files_read_usr_files(setroubleshootd_t)
 files_read_etc_files(setroubleshootd_t)
 files_getattr_all_dirs(setroubleshootd_t)
+files_getattr_all_files(setroubleshootd_t)
 
 selinux_get_enforce_mode(setroubleshootd_t)
+selinux_validate_context(setroubleshootd_t)
 
 term_dontaudit_use_console(setroubleshootd_t)
 term_dontaudit_use_all_user_ptys(setroubleshootd_t)
@@ -97,9 +99,12 @@ logging_send_syslog_msg(setroubleshootd_t)
 logging_stream_connect_auditd(setroubleshootd_t)
 
 seutil_read_config(setroubleshootd_t)
+seutil_read_file_contexts(setroubleshootd_t)
 
 sysnet_read_config(setroubleshootd_t)
 
+userdom_dontaudit_read_sysadm_home_content_files(setroubleshootd_t)
+
 ifdef(`targeted_policy',`
 	term_dontaudit_use_generic_ptys(setroubleshootd_t)
 	term_dontaudit_use_unallocated_ttys(setroubleshootd_t)