Allow MediaProvider to traverse /mnt/media_rw.

As an optimization, platform components like MediaProvider may choose
to shortcut past the FUSE daemon and return open file descriptors
directly pointing at the underlying storage device.

Now that we have a specific label for /mnt/media_rw, we need to grant
search access to untrusted apps like MediaProvider.  The actual
access control is still managed by POSIX permissions on that
directory.

avc: denied { search } for name="media_rw" dev="tmpfs" ino=4150 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0

Bug: 21017105
Change-Id: I6d51939668b39b43b91b1f0c24c98bc2205bf511
diff --git a/untrusted_app.te b/untrusted_app.te
index 79eb752..e451c5d 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -72,6 +72,10 @@
 allow untrusted_app media_rw_data_file:dir create_dir_perms;
 allow untrusted_app media_rw_data_file:file create_file_perms;
 
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_app mnt_media_rw_file:dir search;
+
 # Write to /cache.
 allow untrusted_app cache_file:dir create_dir_perms;
 allow untrusted_app cache_file:file create_file_perms;