Policy for overlay_remounter

Note - type definitions moved outside the userdebug_or_eng macro to
avoid breaking user builds. User build (lynx-trunk_staging-user) built
and flashed to avoid a repeat of b/392686305

Test: system/core/fs_mgr/tests/adb-remount-test.sh
Bug: 388912628
Change-Id: Ice404a0b798a4dcbfcafb10d5b114807b21dca10
diff --git a/private/incident.te b/private/incident.te
index db9ae86..19db7d7 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -34,4 +34,14 @@
 allow incident incidentd:fifo_file write;
 
 # only allow incident being called by shell or dumpstate
-neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans };
+neverallow {
+    domain
+    -su
+    -shell
+    -incident
+    -dumpstate
+    userdebug_or_eng(`-overlay_remounter')
+} incident_exec:file {
+    execute
+    execute_no_trans
+};