ansible: Apply "execheap" SELinux policy hack

[martinpitt]

With current Fedora 39, Chromium often runs into these crashes:

AVC avc:  denied  { execheap } for  pid=3725873 comm="ThreadPoolForeg" scontext=system_u:system_r:container_t:s0:c439,c758 tcontext=system_u:system_r:container_t:s0:c439,c758 tclass=process permissive=0
systemd-coredump[3725903]: [Process 3725873 (headless_shell) of user 1111 terminated abnormally without generating a coredump.

This causes the browser to hang, and the test force-killed after the timeout.

The general tone in past bug reports is that this is intended -- heap shouldn't be writable and executable at the same time. So Chromium is doing something dubious here.

This isn't something we can easily influence, so just poke a hole into the policy.

This was generated by collecting the full denial with ausearch -c 'ThreadPoolForeg' --raw, and feeding the result into audit2allow:

echo 'type=AVC msg=audit(1709124430.347:10808): avc:  denied  { execheap } for  pid=150495 comm="ThreadPoolForeg" scontext=system_u:system_r:container_t:s0:c114,c423 tcontext=system_u:system_r:container_t:s0:c114,c423 tclass=process permissive=1' | audit2allow -M cockpituous

Fixes #579

---

I rolled this out to our infra. Let's check tomorrow morning if it actually worked. Update: It did, and it's still necessary with Chromium 122.

[mvollmer]

So Chromium is doing something dubious here.

Just FTR: I am not so sure about dubious. Chromium's JIT has always needed executable memory, and that was always okay with SELinux. But something must have changed in the details.