setroubleshootd: run server with setroubleshoot uid instead of root

[bachradsusi]

setroubleshootd doesn't really need to be run with root privileges. This patch changes code and dbus service setting to run setroubleshoot with setrbleshoot user.

There's available a patch for Fedora dist-git [1]. The patch also changes the spec file to create setroubleshoot user, change owner of /var/lib/setroubleshoot and /var/run/setroubleshoot and add tmpfiles.d configation file to create /run/setroubleshoot directory on boot.

[1] https://plautrba.fedorapeople.org/setroubleshoot/setroubleshootd-run-server-with-setroubleshoot-uid-i.patch src.rpm is available at https://plautrba.fedorapeople.org/setroubleshoot/setroubleshoot-3.2.22-2.fc23.2.src.rpm

[mgrepl]

If you run the following reproducer

touch /var/www/html/test

chcon -t sshd_key_t /var/www/html/test

runcon -u system_u -r system_r -t httpd_t -- cat /var/www/html/test

you get

[system] Rejected send message, 1 matched rules; type="method_call", sender=":1.673" (uid=1000 pid=753 comm="/usr/bin/python -Es /usr/bin/sealert -s ") interface="org.fedoraproject.SetroubleshootFixit" member="run_fix" error name="(unset)" requested_reply="0" destination=":1.675" (uid=0 pid=772 comm="/usr/bin/python /usr/share/setroubleshoot/Setroubl")

[bachradsusi]

The "Rejected send message" is not related to the drop privileges but it's due to wrong dbus configuration. I've pushed a fix for that to this branch and run a copr build https://copr.fedoraproject.org/coprs/plautrba/selinux/build/84239/

Please re-review

[mgrepl]

It works!