Fix selinux denials for incidentd

This is to fix selinux denials on incident-helper-cmd.
incident-helper-cmd is a Java program spawn from app_process. There are
currently some selinux denials because app_process tries to read boot
flags, read dalvik cache, run JIT and exec from JIT cache.

This change:
- allows incidentd to read the runtime feature flag properties. This is
a normal behavior during app_process startup
- allows incidentd to lock a few java libraries under
/apex/com.android.art. Again, this is normal when ART starts
- mutes denial of writing to and exec from dalvik cache / JIT cache

Fixes: 149011438
Test: Run $ incident 1116, and verify there's no selinux denial
Change-Id: I95a6b93e6a5510c749bebe7ecbcab9a803be0801

private/incidentd.te

@@ -131,14 +131,21 @@ allow incidentd shell_exec:file rx_file_perms;
 # For running am, incident-helper-cmd and similar framework commands.
 # Run /system/bin/app_process.
 allow incidentd zygote_exec:file { rx_file_perms };
+# Access the runtime feature flag properties.
+get_prop(incidentd, device_config_runtime_native_prop)
+get_prop(incidentd, device_config_runtime_native_boot_prop)
+# ART locks profile files.
+allow incidentd system_file:file lock;
+# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
+dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
+dontaudit incidentd tmpfs:file rwx_file_perms;
 
 # logd access - work to be done is a PII safe log (possibly an event log?)
 userdebug_or_eng(`read_logd(incidentd)')
 # TODO control_logd(incidentd)
 
 # Access /data/misc/logd
-allow incidentd misc_logd_file:dir r_dir_perms;
-allow incidentd misc_logd_file:file r_file_perms;
+r_dir_file(incidentd, misc_logd_file)
 
 # Allow incidentd to find these standard groups of services.
 # Others can be whitelisted individually.