ulogd: allow creating a netlink-netfilter socket

This is used to get the packets logged by the firewall.

I experienced this on a Debian system which uses nftables rules with the
"log" keyword:

    type=AVC msg=audit(1565901600.257:348): avc:  denied  { create } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tcla
    ss=netlink_netfilter_socket permissive=1

    type=AVC msg=audit(1565901103.154:327): avc:  denied  { read } for
    pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=SYSCALL msg=audit(1565901103.154:327): arch=c000003e syscall=45
    success=yes exit=148 a0=8 a1=7f651d19d010 a2=249f0 a3=0 items=0 ppid=1
    pid=436 auid=4294967295 uid=111 gid=118 euid=111 suid=111 fsuid=111
    egid=118 sgid=118 fsgid=118 tty=(none) ses=4294967295 comm="ulogd"
    exe="/usr/sbin/ulogd" subj=system_u:system_r:ulogd_t key=(null)

    type=PROCTITLE msg=audit(1565901103.154:327):
    proctitle=2F7573722F7362696E2F756C6F6764002D2D6461656D6F6E002D2D75696400756C6F67002D2D70696466696C65002F72756E2F756C6F672F756C6F67642E706964

    [ ... ]

    type=AVC msg=audit(1565901600.241:338): avc:  denied  { write } for
    pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=AVC msg=audit(1565901600.257:348): avc:  denied  { create } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=AVC msg=audit(1565901600.257:349): avc:  denied  { getattr } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=AVC msg=audit(1565901600.257:350): avc:  denied  { bind } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

policy/modules/services/ulogd.te

@@ -28,6 +28,7 @@ logging_log_file(ulogd_var_log_t)
 
 allow ulogd_t self:capability { net_admin setgid setuid sys_nice };
 allow ulogd_t self:process setsched;
+allow ulogd_t self:netlink_netfilter_socket create_socket_perms;
 allow ulogd_t self:netlink_nflog_socket create_socket_perms;
 allow ulogd_t self:netlink_socket create_socket_perms;
 allow ulogd_t self:tcp_socket create_stream_socket_perms;