Move domains into per-domain permissive mode.

Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1

qemud.te

 # qemu support daemon
 type qemud, domain;
+permissive qemud;
 type qemud_exec, exec_type, file_type;
 
 init_daemon_domain(qemud)

racoon.te

 # IKE key management daemon
 type racoon, domain;
+permissive racoon;
 type racoon_exec, exec_type, file_type;
 
 init_daemon_domain(racoon)

radio.te

 # phone subsystem
 type radio, domain;
+permissive radio;
 app_domain(radio)
 net_domain(radio)
 bluetooth_domain(radio)

rild.te

 # rild - radio interface layer daemon
 type rild, domain;
+permissive rild;
 type rild_exec, exec_type, file_type;
 
 init_daemon_domain(rild)

sdcardd.te

 type sdcardd, domain;
+permissive sdcardd;
 type sdcardd_exec, exec_type, file_type;
 
 init_daemon_domain(sdcardd)

servicemanager.te

 # servicemanager - the Binder context manager
 type servicemanager, domain;
+permissive servicemanager;
 type servicemanager_exec, exec_type, file_type;
 
 init_daemon_domain(servicemanager)

su.te

 type su, domain;
+permissive su;
 type su_exec, file_type;
 domain_auto_trans(shell, su_exec, su)
 

surfaceflinger.te

 # surfaceflinger - display compositor service
 type surfaceflinger, domain;
+permissive surfaceflinger;
 type surfaceflinger_exec, exec_type, file_type;
 
 init_daemon_domain(surfaceflinger)

system.te

@@ -4,6 +4,7 @@
 # server.
 #
 type system_app, domain;
+permissive system_app;
 app_domain(system_app)
 
 # Perform binder IPC to any app domain.

te_macros

@@ -232,6 +232,7 @@ allow $1 kernel:security setbool;
 define(`security_access_policy', `
 allow $1 security_file:dir r_dir_perms;
 allow $1 security_file:file r_file_perms;
+allow $1 security_file:lnk_file read;
 allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file r_file_perms;
 allow $1 rootfs:dir r_dir_perms;

tee.te

@@ -2,6 +2,7 @@
 # trusted execution environment (tee) daemon
 #
 type tee, domain;
+permissive tee;
 type tee_exec, exec_type, file_type;
 type tee_device, dev_type;
 type tee_data_file, file_type, data_file_type;

ueventd.te

 # ueventd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
+permissive ueventd;
 tmpfs_domain(ueventd)
 write_klog(ueventd)
 security_access_policy(ueventd)

vold.te

 # volume manager
 type vold, domain;
+permissive vold;
 type vold_exec, exec_type, file_type;
 
 init_daemon_domain(vold)

watchdogd.te

 # watchdogd seclabel is specified in init.<board>.rc
 type watchdogd, domain;
+permissive watchdogd;
 allow watchdogd rootfs:file { entrypoint r_file_perms };
 allow watchdogd self:capability mknod;
 allow watchdogd device:dir { add_name write remove_name };

wpa_supplicant.te

 # wpa - wpa supplicant or equivalent
 type wpa, domain;
+permissive wpa;
 type wpa_exec, exec_type, file_type;
 
 init_daemon_domain(wpa)

zygote.te

 # zygote
 type zygote, domain;
+permissive zygote;
 type zygote_exec, exec_type, file_type;
 
 init_daemon_domain(zygote)