remove syslog_* from unconfined

As suggested in https://android-review.googlesource.com/95966 , remove
various syslog_* from unconfined. SELinux domains which want to use
syslog_* can declare it themselves.

Change-Id: I7a8335850d1b8d3463491b4ef8c657f57384cfa4

app.te

@@ -317,9 +317,9 @@ neverallow { appdomain -unconfineddomain }
     proc:dir_file_class_set write;
 
 # Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain -system_app -unconfineddomain }
+neverallow { appdomain -system_app }
     kernel:system { syslog_mod syslog_console };
-neverallow { appdomain -system_app -unconfineddomain -shelldomain }
+neverallow { appdomain -system_app -shelldomain }
     kernel:system syslog_read;
 
 # Ability to perform any filesystem operation other than statfs(2).

init.te

@@ -12,6 +12,7 @@ allow init dev_type:blk_file rw_file_perms;
 allow init fs_type:filesystem *;
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow init kernel:security load_policy;
+allow init kernel:system syslog_mod;
 allow init usermodehelper:file rw_file_perms;
 allow init proc_security:file rw_file_perms;
 

unconfined.te

@@ -19,7 +19,7 @@
 allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable };
 allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
-allow unconfineddomain kernel:system *;
+allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
 allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition setexec setfscreate setcurrent setkeycreate setsockcreate };
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;