Revert "Neverallow vendor code access to files on /system."

am: 10b250df

Change-Id: I1bbfc88a988bb5519cbd91fb5dd0e6d212e42b39

public/domain.te

@@ -1091,10 +1091,9 @@ full_treble_only(`
         -vendor_executes_system_violators
         -vendor_init
     } {
-        system_file_type
-        -system_file # TODO(b/111243627): remove once Treble violations are fixed.
-        -system_lib_file
+        exec_type
         -system_linker_exec
+        -vendor_file_type
         -crash_dump_exec
         -netutils_wrapper_exec
         userdebug_or_eng(`-tcpdump_exec')
@@ -1157,33 +1156,17 @@ full_treble_only(`
   }:file *;
 ')
 
-full_treble_only(`
-  # Do not allow vendor components access to /system files except for the
-  # ones whitelisted here.
-  neverallow {
-    domain
-    -appdomain
-    -coredomain
-    -vendor_executes_system_violators
-    # vendor_init needs access to init_exec for domain transition. vendor_init
-    # neverallows are covered in public/vendor_init.te
-    -vendor_init
-  } {
-    system_file_type
-    -system_file # TODO(b/111243627): remove once Treble violations are fixed.
-    -crash_dump_exec
-    -file_contexts_file
-    -netutils_wrapper_exec
-    -property_contexts_file
-    -system_lib_file
-    -system_linker_exec
-    -system_linker_config_file
-    -system_seccomp_policy_file
-    -system_security_cacerts_file
-    -system_zoneinfo_file
-    userdebug_or_eng(`-tcpdump_exec')
-  }:file *;
-')
+# TODO(b/111243627): Uncomment once all violations are cleaned up.
+#full_treble_only(`
+#  # Do not allow vendor components access to /system files except for the
+#  # ones whitelisted here.
+#  neverallow {
+#    domain
+#    -appdomain
+#    -coredomain
+#    -vendor_executes_system_violators
+#  } system_file_type:file *;
+#')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {