Move TEE rules to vendor image

"tee" domain is a vendor domain. Hence its rules should live on the
vendor image.

What's left as public API is that:
1. tee domain exists and that it is permitted to sys_rawio capability,
2. tee_device type exists and apps are not permitted to access
   character devices labeled tee_device.

If you were relying on system/sepolicy automatically labeling
/dev/tf_driver as tee_device or labeling /system/bin/tf_daemon as
tee_exec, then you need to add these rules to your device-specific
file_contexts.

Test: mmm system/sepolicy
Test: bullhead, angler, and sailfish boot up without new denials
Bug: 36714625
Bug: 36714625
Bug: 36720355
Change-Id: Ie21619ff3c44ef58675c369061b4afdd7e8501c6