Change zygote sepolicy whitelist.

Allow the zygote to create instruction set specific
directories under /data/dalvik-cache and to change their owner
to the system UID.

These subdirectories are required in order to support
instruction set specific dex caches on devices that support
multiple instruction sets. We can't ask init to create these
directories for us, because init doesn't have any knowledge
about the list of runtime instruction sets the device supports.

The owner needs to be system because the package manager (running
in the system_server) is allowed to manipulate files under this
directory.

(cherry picked from commit 032e5b0a)

Change-Id: I3a85e8a6b4eed003a93490e7b93a4fd68c41a361

zygote.te

@@ -5,7 +5,7 @@ type zygote_exec, exec_type, file_type;
 init_daemon_domain(zygote)
 typeattribute zygote mlstrustedsubject;
 # Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid fowner };
+allow zygote self:capability { dac_override setgid setuid fowner chown };
 # Drop capabilities from bounding set.
 allow zygote self:capability setpcap;
 # Switch SELinux context to app domains.
@@ -20,7 +20,7 @@ allow zygote appdomain:process { getpgid setpgid };
 # Write to system data.
 allow zygote system_data_file:dir rw_dir_perms;
 allow zygote system_data_file:file create_file_perms;
-allow zygote dalvikcache_data_file:dir rw_dir_perms;
+allow zygote dalvikcache_data_file:dir create_dir_perms;
 allow zygote dalvikcache_data_file:file create_file_perms;
 # For art.
 allow zygote dalvikcache_data_file:file execute;