Remove write access to rootfs files from unconfineddomain and
prevent adding it back via neverallow.  This is only applied to
regular files, as we are primarily concerned with preventing
writing to a file that can be exec'd and because creation of
directories or symlinks in the rootfs may be required for mount
point directories.

Change-Id: If2c96da03f5dd6f56de97131f6ba9eceea328721
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>