Fix e2fsck denials introduced by latest e2fsprogs merge.

This resulted from changes in e2fsprogs logic which traverses
/proc/mounts to warn about fixing a mounted filesystem.

Denials:

        07-08 15:08:21.207   853   853 I auditd  : type=1400 audit(0.0:88): avc: denied { getattr } for comm="e2fsck" path="/metadata" dev="vda12" ino=2 scontext=u:r:fsck:s0 tcontext=u:object_r:metadata_file:s0 tclass=dir permissive=0
        07-08 15:08:21.207   853   853 I auditd  : type=1400 audit(0.0:89): avc: denied { search } for comm="e2fsck" name="/" dev="tmpfs" ino=1 scontext=u:r:fsck:s0 tcontext=u:object_r:mirror_data_file:s0 tclass=dir permissive=0

Bug: 193137337
Test: treehugger
Change-Id: Ib050463f7fa6ea453795c933ff388d3594bb7c23

private/domain.te

@@ -397,6 +397,7 @@ neverallow {
 # Limit directory operations that doesn't need to do app data isolation.
 neverallow {
   domain
+  -fsck
   -init
   -installd
   -zygote

public/fsck.te

@@ -14,7 +14,6 @@ allow fsck vold:fd use;
 allow fsck vold:fifo_file { read write getattr };
 
 # Run fsck on certain block devices
-allow fsck block_device:dir search;
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
 allow fsck dm_device:blk_file rw_file_perms;
@@ -22,6 +21,12 @@ userdebug_or_eng(`
 allow fsck system_block_device:blk_file rw_file_perms;
 ')
 
+# e2fsck performs a comprehensive search of /proc/mounts to check whether the
+# checked filesystem is currently mounted.
+allow fsck metadata_file:dir getattr;
+allow fsck block_device:dir search;
+allow fsck mirror_data_file:dir search;
+
 # For the block devices where we have ioctl access,
 # allow at a minimum the following common fsck ioctls.
 allowxperm fsck dev_type:blk_file ioctl {