This adds two items to ujust audit-secureblue that check whether user namespace creation is disallowed for the uncontained domain and container domain, respectively. This would close issue #676. The checks are accompanied by suggestions to turn back on the user namespace protections if disabled using the appropriate ujust toggles.

I chose to mark unconfined userns creation being enabled as a "FAILURE" and container userns creation as a "WARNING"; I'm not sure if the latter should also be "FAILURE".

Implementation note: Since checking the state of these toggles directly using semodule -l isn't allowed for unprivileged users, we instead have to test their state by observing whether userns creation fails. For the uncontained domain, we test this using unshare -U true. For the container domain, we create a temporary copy of the unshare binary in the user's home directory, use chcon to give it the container_runtime_exec_t attribute, and run unshare -U true using this modified binary. (I'm a bit surprised SELinux allows this workaround—is this intended behavior? I'd also be interested to know if there's a simpler way to do this.)

Legal notice: I affirm that I have authored 100% of the content I contribute, I have the necessary rights to the content, and the content may be provided under the project license.