Add SELinux policy so kadmind can read the crackdb dictionary

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>

selinux/ipa.te

@@ -115,6 +115,24 @@ optional_policy(`
 	sssd_stream_connect(ipa_otpd_t)
 ')
 
+########################################
+#
+# password policy local policy
+#
+optional_policy(`
+    gen_require(`
+        type kadmind_t;
+        type crack_db_t;
+        class file getattr;
+        class file open;
+        class file read;
+        class dir search;
+    ')
+    allow kadmind_t crack_db_t:file { getattr open read };
+    allow kadmind_t crack_db_t:dir search;
+')
+
+
 ########################################
 #
 # ipa-helper local policy