Strip file execute permissions from unconfined domains.

Exclude execute from the rules allowing access to files,
and only add it back for the rootfs and files labeled
with system_file (/system, /vendor) or one of the types in exec_type
(files under /system that cause domain transitions).

Change-Id: Ic72d76dc92e79bcc75a38398425af3bb1274a009
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

unconfined.te

@@ -29,9 +29,10 @@ allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain fs_type:filesystem *;
 allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod relabelto};
-allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod relabelto};
-allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod relabelto};
+allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain { rootfs system_file exec_type }:file execute;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 allow unconfineddomain netif_type:netif *;