This is a clone of upstream request https://github.com/fedora-selinux/selinux-policy/issues/2455

SSSD was reworked to not rely on effective capabilities but to raise a permitted capability when needed, and drop it completely when not needed anymore (specific PR that triggered this ticket - https://github.com/SSSD/sssd/pull/7731)

This approach conflicts with current `sssd_selinux_manager_t` policy:
"""
*type=AVC* msg=audit(1733309927.245:4711): avc: **denied

** for pid=43967 comm="selinux_child" *scontext=system_u:system_r:sssd_selinux_manager_t:s0* tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=process permissive=1
*type=SYSCALL* msg=audit(1733309927.245:4711): arch=c000003e syscall=126 success=yes exit=0 a0=55795759750c a1=557957597514 a2=557957597514 a3=80 items=0 ppid=41662 pid=43967 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)ARCH=x86_64 SYSCALL=capset AUID="unset" UID="sssd" GID="sssd" EUID="sssd" SUID="sssd" FSUID="sssd" EGID="sssd" SGID="sssd" FSGID="sssd"
*type=CAPSET* msg=audit(1733309927.245:4711): pid=43967 cap_pi=0000000000000080 cap_pp=00000000000000c0 cap_pe=0000000000000080 cap_pa=0
"""

Relevant policy that needs to be fixed:
https://github.com/fedora-selinux/selinux-policy/blob/8dfcddb1f7227bbdf98776f795be53cf50734b04/policy/modules/contrib/sssd.te#L283

This change will land Fedora 41+ and C10S soon (https://gitlab.com/redhat/centos-stream/rpms/sssd/-/commit/98cad07f1e1e1819badd3cfbc9bbcccb15ca0ee4)