So I think a better/simpler way to do this is to define a boolean, and if true, simply add a set of allow rules to the existing untrusted_app domain. No need for a separate domain. Wondering though if we ought to in fact add allow rules based on appdomain, i.e. if this boolean is set, allow all permissions except for the ones prohibited to all app domains. Otherwise, you may have a situation where platform_app or release_app has fewer permissions than untrusted_app.
Well I agree its simpler, not 100% sure if it's better (how do you measure that any ways). If you wanted to have assertions that cover "nice to haves" in untrusted_app vs ustrusted_bl_app you couldn't have them. Plus, unless you completely override app.te and build a whole new policy again, their is no way to build application domains off of existing ones. The base policy being more based on attributes makes extending it much easier, when what you want to do is not just basic allows.