add cap sys_rawio to raw memory access interfaces

refpolicy/policy/modules/kernel/devices.if

@@ -82,6 +82,7 @@ requires_block_template(devices_raw_read_memory_depend,$2)
 typeattribute $1 memory_raw_read;
 allow $1 device_t:dir { getattr read search };
 allow $1 memory_device_t:chr_file { getattr read ioctl };
+allow $1 self:capability sys_rawio;
 ')
 
 define(`devices_raw_read_memory_depend',`
@@ -89,6 +90,7 @@ type device_t, memory_device_t;
 attribute memory_raw_read;
 class dir { getattr read search };
 class chr_file { getattr read ioctl };
+class capability sys_rawio;
 ')
 
 ########################################
@@ -100,6 +102,7 @@ requires_block_template(devices_raw_write_memory_depend,$2)
 typeattribute $1 memory_raw_write
 allow $1 device_t:dir { getattr read search };
 allow $1 memory_device_t:chr_file write;
+allow $1 self:capability sys_rawio;
 ')
 
 define(`devices_raw_write_memory_depend',`
@@ -107,6 +110,7 @@ type device_t, memory_device_t;
 attribute memory_raw_write;
 class dir { getattr read search };
 class chr_file write;
+class capability sys_rawio;
 ')
 
 ########################################