What changed:
- Tightening neverallow forbidding vendor execution access in /system.
In it's current form the neverallow is loose because not all executables
have exec_type attribute, e.g. almost everything in /system/bin/. This
change tightens up the neverallow by instead targeting system_file_type
attribute, which must be applied to all files in /system.
- Adding a general neverallow forbidding all access to files in /system
(bar exceptions)

TODOs:
- Remove loopholes once Treble violations are fixed across all internal
build targets.

Bug: 111243627
Test: m selinux_policy; build-only change
Change-Id: I150195756c0c3258904c3da0812bbd942ea2f229