sepolicy: graphics: address some denials

* Labeling vendor allocator libraries became necessary for some reason
  after moving minigbm gralloc to APEX.
* Address remaining drm_hwcomposer denials.

sepolicy/file_contexts

@@ -6,10 +6,11 @@
 /data/vendor/mediadrm(/.*)?  u:object_r:mediadrm_vendor_data_file:s0
 
 # Graphics
-/dev/dri(/.*)?                    u:object_r:gpu_device:s0
+/dev/dri(/.*)?                                                     u:object_r:gpu_device:s0
-/vendor/lib64/libdrm\.so          u:object_r:same_process_hal_file:s0
+/vendor/lib64/android\.hardware\.graphics\.allocator@[2-4]\.0\.so  u:object_r:same_process_hal_file:s0
-/vendor/lib64/libgallium_dri\.so  u:object_r:same_process_hal_file:s0
+/vendor/lib64/libdrm\.so                                           u:object_r:same_process_hal_file:s0
-/vendor/lib64/libui\.so           u:object_r:same_process_hal_file:s0
+/vendor/lib64/libgallium_dri\.so                                   u:object_r:same_process_hal_file:s0
+/vendor/lib64/libui\.so                                            u:object_r:same_process_hal_file:s0
 
 # Partitions
 /dev/block/mmcblk0p1  u:object_r:boot_block_device:s0

sepolicy/hal_graphics_composer_default.te

@@ -1,3 +1,5 @@
 vndbinder_use(hal_graphics_composer_default)
 gpu_access(hal_graphics_composer_default)
 get_prop(hal_graphics_composer_default, vendor_hwc_config_prop)
+
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { bind create read };