Make shared_relro policy private.

Nothing should be depending on the details.

I haven't removed public/shared_relro.te entirely - there's a reference to shared_relro in public/app.te, and at least one reference to the domain outside of system policy.

Fix: 175867372
Test: Presubmits
Change-Id: I5fd4090f4b445520c4fa767c1835a5bb4e9cb146

private/shared_relro.te

@@ -3,3 +3,13 @@ typeattribute shared_relro coredomain;
 # The shared relro process is a Java program forked from the zygote, so it
 # inherits from app to get basic permissions it needs to run.
 app_domain(shared_relro)
+
+allow shared_relro shared_relro_file:dir rw_dir_perms;
+allow shared_relro shared_relro_file:file create_file_perms;
+
+allow shared_relro activity_service:service_manager find;
+allow shared_relro webviewupdate_service:service_manager find;
+allow shared_relro package_service:service_manager find;
+
+# StrictMode may attempt to find this service, failure is harmless.
+dontaudit shared_relro network_management_service:service_manager find;

public/shared_relro.te

@@ -1,14 +1,2 @@
 # Process which creates/updates shared RELRO files to be used by other apps.
 type shared_relro, domain;
-
-# Grant write access to the shared relro files/directory.
-allow shared_relro shared_relro_file:dir rw_dir_perms;
-allow shared_relro shared_relro_file:file create_file_perms;
-
-# Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro activity_service:service_manager find;
-allow shared_relro webviewupdate_service:service_manager find;
-allow shared_relro package_service:service_manager find;
-
-# StrictMode may attempt to find this service, failure is harmless.
-dontaudit shared_relro network_management_service:service_manager find;