Fix broken neverallow rules

neverallow rules with allowlist should look like:

    neverallow { domain -allow1 -allow2 } ...

Bug: 181744894
Test: m selinux_policy
Test: pcregrep -M -r "neverallow\s+{(\s*#.*\s*)*\s+-" .
Change-Id: Ibab72ccc1fbacb99b62fe127b4122e1ac22b938a
diff --git a/private/charger.te b/private/charger.te
index 693fd3a..8be113f 100644
--- a/private/charger.te
+++ b/private/charger.te
@@ -15,6 +15,7 @@
 
 compatible_property_only(`
     neverallow {
+        domain
         -init
         -dumpstate
         -charger
@@ -22,6 +23,7 @@
 ')
 
 neverallow {
+    domain
     -init
     -dumpstate
     -vendor_init
diff --git a/private/init.te b/private/init.te
index 4e8289a..c652603 100644
--- a/private/init.te
+++ b/private/init.te
@@ -70,19 +70,19 @@
 
 # Only init can write vts.native_server.on
 set_prop(init, vts_status_prop)
-neverallow { -init } vts_status_prop:property_service set;
+neverallow { domain -init } vts_status_prop:property_service set;
 
 # Only init can write normal ro.boot. properties
-neverallow { -init } bootloader_prop:property_service set;
+neverallow { domain -init } bootloader_prop:property_service set;
 
 # Only init can write hal.instrumentation.enable
-neverallow { -init } hal_instrumentation_prop:property_service set;
+neverallow { domain -init } hal_instrumentation_prop:property_service set;
 
 # Only init can write ro.property_service.version
-neverallow { -init } property_service_version_prop:property_service set;
+neverallow { domain -init } property_service_version_prop:property_service set;
 
 # Only init can set keystore.boot_level
-neverallow { -init } keystore_listen_prop:property_service set;
+neverallow { domain -init } keystore_listen_prop:property_service set;
 
 # Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
 allow init debugfs_bootreceiver_tracing:file w_file_perms;
diff --git a/private/lmkd.te b/private/lmkd.te
index 1e7bbde..fef3a89 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -8,4 +8,4 @@
 # Set lmkd.* properties.
 set_prop(lmkd, lmkd_prop)
 
-neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set;
+neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/private/property.te b/private/property.te
index 88f3ec0..f177631 100644
--- a/private/property.te
+++ b/private/property.te
@@ -317,6 +317,7 @@
 ')
 
 neverallow {
+  domain
   -coredomain
   -vendor_init
 } {
@@ -325,6 +326,7 @@
 }:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
   -system_server
 } {
@@ -333,6 +335,7 @@
 
 neverallow {
   # Only allow init and system_server to set system_adbd_prop
+  domain
   -init
   -system_server
 } {
@@ -341,6 +344,7 @@
 
 # Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
 neverallow {
+  domain
   -init
   -vendor_init
   -adbd
@@ -351,6 +355,7 @@
 
 neverallow {
   # Only allow init and adbd to set adbd_prop
+  domain
   -init
   -adbd
 } {
@@ -359,6 +364,7 @@
 
 neverallow {
   # Only allow init and shell to set userspace_reboot_test_prop
+  domain
   -init
   -shell
 } {
@@ -366,6 +372,7 @@
 }:property_service set;
 
 neverallow {
+  domain
   -init
   -system_server
   -vendor_init
@@ -374,6 +381,7 @@
 }:property_service set;
 
 neverallow {
+  domain
   -init
 } {
   libc_debug_prop
@@ -382,6 +390,7 @@
 # Allow the shell to set MTE props, so that non-root users with adb shell
 # access can control the settings on their device.
 neverallow {
+  domain
   -init
   -shell
 } {
@@ -389,18 +398,21 @@
 }:property_service set;
 
 neverallow {
+  domain
   -init
   -system_server
   -vendor_init
 } zram_control_prop:property_service set;
 
 neverallow {
+  domain
   -init
   -system_server
   -vendor_init
 } dalvik_runtime_prop:property_service set;
 
 neverallow {
+  domain
   -coredomain
   -vendor_init
 } {
@@ -409,6 +421,7 @@
 }:property_service set;
 
 neverallow {
+  domain
   -init
   -system_server
 } {
@@ -417,6 +430,7 @@
 }:property_service set;
 
 neverallow {
+  domain
   -coredomain
   -vendor_init
 } {
@@ -425,6 +439,7 @@
 }:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
 } {
   init_service_status_private_prop
@@ -432,6 +447,7 @@
 }:property_service set;
 
 neverallow {
+  domain
   -init
   -radio
   -appdomain
@@ -440,6 +456,7 @@
 } telephony_status_prop:property_service set;
 
 neverallow {
+  domain
   -init
   -vendor_init
 } {
@@ -447,6 +464,7 @@
 }:property_service set;
 
 neverallow {
+  domain
   -init
   -surfaceflinger
 } {
@@ -454,23 +472,27 @@
 }:property_service set;
 
 neverallow {
+  domain
   -coredomain
   -appdomain
   -vendor_init
 } packagemanager_config_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -coredomain
   -vendor_init
 } keyguard_config_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
 } {
   localization_prop
 }:property_service set;
 
 neverallow {
+  domain
   -init
   -vendor_init
   -dumpstate
@@ -478,11 +500,13 @@
 } oem_unlock_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -coredomain
   -vendor_init
 } storagemanager_config_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
   -vendor_init
   -dumpstate
@@ -490,6 +514,7 @@
 } sendbug_config_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
   -vendor_init
   -dumpstate
@@ -497,6 +522,7 @@
 } camera_calibration_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
   -dumpstate
   -hal_dumpstate_server
@@ -504,6 +530,7 @@
 } hal_dumpstate_config_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
   userdebug_or_eng(`-traced_probes')
   userdebug_or_eng(`-traced_perf')
@@ -513,6 +540,7 @@
 
 # TODO Remove this property when Keystore 2.0 migration is complete b/171563717
 neverallow {
+  domain
   -init
   -dumpstate
   -system_app
@@ -521,36 +549,43 @@
 } keystore2_enable_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
 } zygote_wrap_prop:property_service set;
 
 neverallow {
+  domain
   -init
 } verity_status_prop:property_service set;
 
 neverallow {
+  domain
   -init
 } setupwizard_prop:property_service set;
 
 # ro.product.property_source_order is useless after initialization of ro.product.* props.
 # So making it accessible only from init and vendor_init.
 neverallow {
+  domain
   -init
   -dumpstate
   -vendor_init
 } build_config_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
   -shell
 } sqlite_log_prop:property_service set;
 
 neverallow {
+  domain
   -coredomain
   -appdomain
 } sqlite_log_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
   -init
 } default_prop:property_service set;
 
@@ -560,6 +595,7 @@
 
 neverallow {
   # Only allow init and shell to set rollback_test_prop
+  domain
   -init
   -shell
 } rollback_test_prop:property_service set;
diff --git a/private/system_server.te b/private/system_server.te
index 05a6e48..e84c6ee 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1324,6 +1324,7 @@
 neverallow { domain -init -system_server } boot_status_prop:property_service set;
 
 neverallow {
+  domain
   -init
   -vendor_init
   -dumpstate
diff --git a/private/tombstoned.te b/private/tombstoned.te
index ca9a0aa..b6dfd1e 100644
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
@@ -5,6 +5,7 @@
 get_prop(tombstoned, tombstone_config_prop)
 
 neverallow {
+    domain
     -init
     -vendor_init
     -dumpstate
diff --git a/public/system_server.te b/public/system_server.te
index 09421cc..edefadf 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -10,6 +10,7 @@
 set_prop(system_server, power_debug_prop)
 
 neverallow {
+  domain
   -init
   -vendor_init
   -system_server