selinux: Allow unconfined_service_t → osbuild_t

When osbuild is invoked via the osbuild composer worker, the latter
is run in the unconfined_service_t domain, so add a rule that
allows that transition.

selinux/osbuild.te

@@ -51,6 +51,15 @@ optional_policy(`
         osbuild_run(unconfined_t, unconfined_r)
 ')
 
+optional_policy(`
+        gen_require(`
+                type unconfined_service_t;
+                role system_r;
+        ')
+
+        osbuild_run(unconfined_service_t, system_r)
+')
+
 # allow transitioning to install_t (for ostree)
 optional_policy(`
 	anaconda_domtrans_install(osbuild_t)