Allow netmgrd to execute sh.

It invokes helper programs such as /system/bin/ip via sh -c.
In the future, look at reworking netmgrd to directly invoke
the helper programs and/or to transition to a different domain
upon sh invocation to shed unnecessary permissions.

Also rewrite the system_file rule for /system/bin/ip to use
the rx_file_perms macro for consistency.

Change-Id: I407d4503868e928dd876cce932fe6a96fcbd4e0d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>