Allow container domains to setfscreate

This does not really effect anything from a security point of view, since SELinux
will control the types of files container domains are allowed to create.

Signed-off-by: Daniel J Walsh <[email protected]>

container.te

@@ -1,4 +1,4 @@
-policy_module(container, 2.138.0)
+policy_module(container, 2.139.0)
 gen_require(`
 	class passwd rootok;
 ')
@@ -711,7 +711,7 @@ allow container_domain self:netlink_xfrm_socket create_socket_perms;
 allow container_domain self:packet_socket create_socket_perms;
 allow container_domain self:passwd rootok;
 allow container_domain self:peer recv;
-allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop setexec };
+allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop setexec setfscreate};
 allow container_domain self:sem create_sem_perms;
 allow container_domain self:shm create_shm_perms;
 allow container_domain self:socket create_socket_perms;