Move sdcardfs media_rw_data_file rules to app.te

Test: No media_rw_data_file related app denials
Change-Id: I1a977db09379f9a3e5bc52c597df12f52929ad19

public/app.te

@@ -188,6 +188,10 @@ allow { appdomain -isolated_app } fuse:dir create_dir_perms;
 allow { appdomain -isolated_app } fuse:file create_file_perms;
 allow { appdomain -isolated_app } sdcardfs:dir create_dir_perms;
 allow { appdomain -isolated_app } sdcardfs:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app } media_rw_data_file:file create_file_perms;
 
 # Access OBBs (vfat images) mounted by vold (b/17633509)
 # File write access allowed for FDs returned through Storage Access Framework

public/bluetooth.te

@@ -58,12 +58,6 @@ unix_socket_connect(bluetooth, sap_uim, rild)
 # /data/data/com.android.shell/files/bugreports/bugreport-*.
 allow bluetooth shell_data_file:file read;
 
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow bluetooth media_rw_data_file:dir create_dir_perms;
-allow bluetooth media_rw_data_file:file create_file_perms;
-
 ###
 ### Neverallow rules
 ###

public/shell.te

@@ -129,12 +129,6 @@ allow shell sysfs:dir r_dir_perms;
 # Allow access to ion memory allocation device.
 allow shell ion_device:chr_file rw_file_perms;
 
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow shell media_rw_data_file:dir create_dir_perms;
-allow shell media_rw_data_file:file create_file_perms;
-
 #
 # filesystem test for insecure chr_file's is done
 # via a host side test