Allow composd to create odrefresh staging directory

composd in responsible to prepare the staging directory for odrefresh
(in the VM) to write the output to. Temporary output should be put in a
staged directory with a temporary apex_art_staging_data_file context.
When a compilation is finished, the files can then be moved to the final
directory with the final context.

Bug: 205750213
Test: No denials

Change-Id: I9444470b31518242c1bb84fc755819d459d21d68
diff --git a/private/composd.te b/private/composd.te
index e41533b..41f1a9b 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -13,6 +13,10 @@
 # Start a VM
 virtualizationservice_use(composd)
 
+# Allow preparing staging directory for odrefresh
+allow composd apex_art_data_file:dir { create_dir_perms relabelfrom };
+allow composd apex_art_staging_data_file:dir { create_dir_perms relabelto };
+
 # Access our APEX data files
 allow composd apex_module_data_file:dir search;
 allow composd apex_compos_data_file:dir create_dir_perms;
diff --git a/private/domain.te b/private/domain.te
index 5b9a5b1..24e05b5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -315,9 +315,10 @@
 
 neverallow {
   domain
-  # art processes
+  # art-related processes
   -odrefresh
   -odsign
+  -composd
   # others
   -apexd
   -init