recovery: start enforcing SELinux rules

Start enforcing SELinux rules for recovery. I've been monitoring
denials, and I haven't seen anything which would indicate a problem.
We can always roll this back if something goes wrong.

Change-Id: I7d3a147f8b9000bf8181d2aa32520f15f291a6f3

recovery.te

@@ -8,7 +8,6 @@ type recovery, domain;
 # Otherwise recovery is only allowed the domain rules.
 recovery_only(`
   allow recovery rootfs:file { entrypoint execute };
-  permissive_or_unconfined(recovery)
 
   allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };