Disable http://tizen.org/privilege/internal/sysadmin for non-applications

Disable tizen.org/privilege/internal/sysadmin for non-applications

By default, system (&user-session) services were granted access to all privileges.
As we work towards fine-grained access control for system services, we need
to disable granting all privileges for services.

This 1st experimental step disables the sysadmin privilege, to be used
to control access to activationd daemon.

For internal applications, sysadmin privilege will be used in manifests, so
Cynara will be able to find exact match for applications' Smack label
in its manifest bucket; for policy evaluation to return success in such case,
all is needed is addition of this new privilege to user-types whitelists
(*.profile files).

For system services, access control to activationd will be limited
to list of user-IDs listed in DBus policy, hence the privilege can't
be automatically enabled for processes with labels User, System & System::Privileged.

For user-session services, this privilege will not be used at the moment.

The (possible) target solution for providing per-service access control
can be based on supplementary groups defined in systemd service files
(or applied as a conequence of cynara policy by security-manager nss plugin).

However, using supplementary groups with DBus policy is not possible at the moment
as both: kernel and DBus will have to be patched to use SO_PEERGROUPS (1)

(1) : https://www.spinics.net/lists/netdev/msg441568.html

Change-Id: Ie41a60d67d39c49b1ed6a49e0c17b9e5d2dabd86