Coalesce rules for allowing execution of shared objects by app domains.

Change-Id: I809738e7de038ad69905a77ea71fda4f25035d09
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

app.te

@@ -63,7 +63,6 @@ bluetooth_domain(release_app)
 # set it must be an mlstrustedsubject.
 type isolated_app, domain, mlstrustedsubject;
 app_domain(isolated_app)
-allow isolated_app system_data_file:file { open execute };
 
 #
 # Rules for platform app domains.
@@ -75,8 +74,6 @@ allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_
 # App sdcard file accesses
 allow platformappdomain sdcard_type:dir create_dir_perms;
 allow platformappdomain sdcard_type:file create_file_perms;
-# System data file accesses (e.g, shared objects from the lib directory)
-allow platformappdomain system_data_file:file { execute open };
 
 #
 # Untrusted apps.
@@ -86,7 +83,6 @@ app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 allow untrusted_app tun_device:chr_file rw_file_perms;
-allow untrusted_app system_data_file:file { execute open };
 
 # Internal SDCard rw access.
 bool app_internal_sdcard_rw true;
@@ -134,6 +130,7 @@ allow appdomain platform_app_data_file:file { read write };
 
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
+allow appdomain system_data_file:file { execute open };
 
 # Read/write wallpaper file (opened by system).
 allow appdomain wallpaper_file:file { read write };