xserver: allow X roles to read xkb libs to set keymaps

commit d76d9e13b1
xserver: restrict executable memory permissions
changed XKB libs which made them no longer readable by users.
setting xkeymaps fails with the following errors:

$ setxkbmap -option "ctrl:nocaps"
Couldn't find rules file (evdev)

type=AVC msg=audit(1485357942.135:4458): avc:  denied  { search } for
pid=5359 comm="X" name="20990" dev="proc" ino=103804
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=dir permissive=0
type=AVC msg=audit(1485357942.136:4459): avc:  denied  { search } for
pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1485357942.136:4460): avc:  denied  { search } for
pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0

policy/modules/services/xserver.if

@@ -166,6 +166,8 @@ interface(`xserver_role',`
 	manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+
+	xserver_read_xkb_libs($2)
 ')
 
 #######################################