I have two pending pull requests on bitbucket for external/sepolicy: 1. run as should support appdomain -system_app not just untrusted_app 2. policy changes for renaming untrusted_app to thirdparty_app, and supporting a black list policy domain for thirdparty_app if a sebool is set.
-- Respectfully, William C Roberts
