Uncrypt needs search in /dev/block to open block devices.
Allow it.

Addresses the following denial:

[11105.601711] type=1400 audit(1393550350.528:30): avc:  denied  { search } for  pid=14597 comm="uncrypt" name="block" dev="tmpfs" ino=7200 scontext=u:r:uncrypt:s0 tcontext=u:object_r:block_device:s0 tclass=dir

Change-Id: I4592784135a04ff5bff2715e1250661744f12aa1

Move the uncrypt domain into SELinux enforcing mode. This will
start enforcing SELinux rules; security policy violations will
return EPERM.

Bug: 13083922
Change-Id: I4805662d8b336e2bfd891237cc916c57179ebf12

Per https://android-review.googlesource.com/82814 , uncrypt
needs to be able to read shell_data_files on userdebug / eng
builds. Allow it.

Bug: 13083922
Change-Id: I72299673bb5e36be79413227105b5cad006d504f

Add initial support for uncrypt, started via the
pre-recovery service in init.rc. On an encrypted device,
uncrypt reads an OTA zip file on /data, opens the underlying
block device, and writes the unencrypted blocks on top of the
encrypted blocks. This allows recovery, which can't normally
read encrypted partitions, to reconstruct the OTA image and apply
the update as normal.

Add an exception to the neverallow rule for sys_rawio. This is
needed to support writing to the raw block device.

Add an exception to the neverallow rule for unlabeled block devices.
The underlying block device for /data varies between devices
within the same family (for example, "flo" vs "deb"), and the existing
per-device file_context labeling isn't sufficient to cover these
differences. Until I can resolve this problem, allow access to any
block devices.

Bug: 13083922
Change-Id: I7cd4c3493c151e682866fe4645c488b464322379