selinux: Allow passing tty devices to containers

The default SELinux policy does not allow passing generic USB devices
and unallocated TTYs to containers.  This prevents the Zigbee and ZWave
USB dongles from being usable by their respective container processes.

repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te

@@ -257,3 +257,15 @@ optional_policy(`
 	allow podman_t devlog_t:sock_file mounton;
 	logging_send_syslog_msg(container_t)
 ')
+
+# Allow podman to mount tty devices in containers
+optional_policy(`
+	gen_require(`
+		type container_t, kernel_t;
+		type tty_device_t;
+	')
+	term_use_unallocated_ttys(container_t)
+	container_mountpoint(tty_device_t)
+	dev_rw_generic_usb_dev(kernel_t)
+	dev_setattr_generic_usb_dev(kernel_t)
+')