Remove transition / dyntransition from unconfined

Require all domain transitions or dyntransitions to be
explicitly specified in SELinux policy.

healthd: Remove healthd_exec / init_daemon_domain().
Healthd lives on the rootfs and has no unique file type.
It should be treated consistent with other similar domains.

Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29

healthd.te

 # healthd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type healthd, domain;
-type healthd_exec, exec_type, file_type;
 
-init_daemon_domain(healthd)
 allow healthd rootfs:file { read entrypoint };
 write_klog(healthd)
 # /dev/__null__ created by init prior to policy load,

init.te

@@ -11,3 +11,11 @@ allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow init kernel:security load_policy;
 allow init usermodehelper:file rw_file_perms;
 allow init proc_security:file rw_file_perms;
+
+# Transitions to seclabel processes in init.rc
+allow init adbd:process transition;
+allow init healthd:process transition;
+allow init recovery:process transition;
+allow init shell:process transition;
+allow init ueventd:process transition;
+allow init watchdogd:process transition;

kernel.te

 # Life begins with the kernel.
 type kernel, domain;
+
+allow kernel init:process dyntransition;
+
 # The kernel is unconfined.
 unconfined_domain(kernel)
 relabelto_domain(kernel)

unconfined.te

@@ -19,7 +19,7 @@
 allow unconfineddomain self:capability_class_set *;
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
 allow unconfineddomain kernel:system *;
-allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace };
+allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
 allow unconfineddomain domain:lnk_file r_file_perms;