Refine recovery domain.

Addresses the following denials:

    avc:  denied  { read write } for  pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { open } for  pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { ioctl } for  pid=132 comm="recovery" path="/dev/tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { sys_tty_config } for  pid=132 comm="recovery" capability=26  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability
    avc:  denied  { setfcap } for  pid=142 comm="update_binary" capability=31  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability

Change-Id: I5219303fbd5afe8f74919db153af6525c0b54154

recovery.te

@@ -10,7 +10,7 @@ recovery_only(`
   allow recovery rootfs:file entrypoint;
   permissive_or_unconfined(recovery)
 
-  allow recovery self:capability { chown dac_override fowner fsetid sys_admin };
+  allow recovery self:capability { chown dac_override fowner fsetid setfcap sys_admin sys_tty_config };
 
   # Set security contexts on files that are not known to the loaded policy.
   allow recovery self:capability2 mac_admin;
@@ -40,6 +40,7 @@ recovery_only(`
   allow recovery graphics_device:dir r_dir_perms;
   allow recovery input_device:dir r_dir_perms;
   allow recovery input_device:chr_file r_file_perms;
+  allow recovery tty_device:chr_file rw_file_perms;
 
   # Create /tmp/recovery.log and execute /tmp/update_binary.
   allow recovery tmpfs:file { create_file_perms x_file_perms };
@@ -57,5 +58,8 @@ recovery_only(`
   allow recovery self:process setfscreate;
 
   wakelock_use(recovery)
+
+  # This line seems suspect, as it shouldn't really need to
+  # set scheduling parameters for a kernel domain task.
   allow recovery kernel:process setsched;
 ')