Introduce a `postinstall_apex_mnt_dir` label for `/postinstall/apex`.

Directory `/postinstall/apex` is used as a mount point for a tmpfs
filesystem during A/B OTA updates. APEX packages from the new system
partition are mounted ("activated") in subdirectories of
`/postinstall/apex`, so that they are available when `otapreopt` is
running.

Directory `/postinstall/apex` used to be of type `tmpfs` for SELinux
purposes. The new `postinstall_apex_mnt_dir` label is more
restrictive, and tightens permissions granted to `otapreopt_chroot`,
`otapreopt` (running as `postinstall_dexopt`), and `dex2oat`,
regarding the apexd logic recently added to `otapreopt_chroot`.

Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 113373927
Bug: 120796514
Change-Id: I03f0b0433d9c066a0c607f864d60ca62fc68c990
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index d489e73..44d2d63 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -82,6 +82,7 @@
     network_stack_tmpfs
     overlayfs_file
     permissionmgr_service
+    postinstall_apex_mnt_dir
     recovery_socket
     role_service
     rs
diff --git a/private/file_contexts b/private/file_contexts
index af9572d..89c11bd 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -28,6 +28,7 @@
 /config             u:object_r:rootfs:s0
 /mnt                u:object_r:tmpfs:s0
 /postinstall        u:object_r:postinstall_mnt_dir:s0
+/postinstall/apex   u:object_r:postinstall_apex_mnt_dir:s0
 /proc               u:object_r:rootfs:s0
 /sys                u:object_r:sysfs:s0
 /apex               u:object_r:apex_mnt_dir:s0
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 608ed9e..aea2faa 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -23,10 +23,14 @@
 
 # Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
 allow otapreopt_chroot tmpfs:filesystem mount;
-# Allow otapreopt_chroot to manipulate the tmpfs filesystem mounted in /postinstall/apex.
-allow otapreopt_chroot tmpfs:dir create_dir_perms;
+# Allow otapreopt_chroot to restore the security context of /postinstall/apex.
+allow otapreopt_chroot tmpfs:dir relabelfrom;
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir relabelto;
+
+# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
 # Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
-allow otapreopt_chroot tmpfs:dir mounton;
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
 
 # Allow otapreopt_chroot to access /dev/block (needed to detach loop
 # devices used by ext4 images from APEX packages).