systemd: allow systemd-userdbd to getcap

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/system/systemd.te

@@ -1878,7 +1878,7 @@ seutil_libselinux_linked(systemd_user_session_type)
 #
 
 allow systemd_userdbd_t self:capability { dac_read_search sys_resource };
-allow systemd_userdbd_t self:process signal;
+allow systemd_userdbd_t self:process { getcap signal };
 allow systemd_userdbd_t self:unix_stream_socket create_stream_socket_perms;
 
 stream_connect_pattern(systemd_userdbd_t, systemd_homed_runtime_t, systemd_homed_runtime_t, systemd_homed_t)