SELinux: Allow init-storage to set permissions

Files and directories that have restrictive permissions and/or are now
owned by *root:root* require `cp` to have additional process
capabilities in order to copy them to the writable filesystem.

repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te

@@ -36,7 +36,7 @@ files_tmp_file(aimee_set_root_password_tmp_t)
 #
 
 allow aimee_storinit_t self:fifo_file rw_fifo_file_perms;
-allow aimee_storinit_t self:capability { chown fsetid sys_admin };
+allow aimee_storinit_t self:capability { dac_read_search dac_override chown fowner fsetid sys_admin };
 allow aimee_storinit_t self:process { setfscreate };
 
 manage_dirs_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)