Allow init to relabel rootfs files.

This is required for the restorecon /adb_keys in init.rc or
for any other relabeling of rootfs files to more specific types on
kernels that support setting security contexts on rootfs inodes.

Addresses denials such as:
  avc: denied { relabelfrom } for comm="init" name="adb_keys" dev="rootfs" ino=1917 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
We do not need to prohibit relabelfrom of such files because our goal
is to prevent writing to executable files, while relabeling the file
to another type will take it to a non-executable (or non-writable) type.
In contrast, relabelto must be prohibited by neverallow so that a
modified file in a writable type cannot be made executable.

Change-Id: I7595f615beaaa6fa524f3c32041918e197bfbebe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

domain.te

@@ -278,7 +278,7 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Nothing should be writing to files in the rootfs.
-neverallow domain rootfs:file { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.

init.te

@@ -28,6 +28,9 @@ allow init contextmount_type:filesystem relabelto;
 allow init contextmount_type:dir r_dir_perms;
 allow init contextmount_type:notdevfile_class_set r_file_perms;
 
+# restorecon /adb_keys or any other rootfs files to a more specific type.
+allow init rootfs:file relabelfrom;
+
 # restorecon and restorecon_recursive calls from init.rc files.
 # system/core/init.rc requires at least cache_file and data_file_type.
 # init.<board>.rc files often include device-specific types, so