Something went wrong on our end
-
Nick Kralevich authored1) Remove explicit allow statements. Since su is in permmissive, there's no need to ever specify allow statements for su. 2) Remove unconfined_domain(su). Su is already permissive, so there's no need to join the unconfined domain, and it just makes getting rid of unconfined more difficult. 3) Put su into app_domain(). This addresses, in a roundabout sorta way, the following denial: type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0 which comes up while testing media processes as root. We already put the shell user into this domain, so adding su to this domain ensures other processes can communicate consistently with su spawned processes. Bug: 16261280 Bug: 16298582 Change-Id: I30b6d3cc186bda737a23c25f4fa2a577c2afd4d7Nick Kralevich authored1) Remove explicit allow statements. Since su is in permmissive, there's no need to ever specify allow statements for su. 2) Remove unconfined_domain(su). Su is already permissive, so there's no need to join the unconfined domain, and it just makes getting rid of unconfined more difficult. 3) Put su into app_domain(). This addresses, in a roundabout sorta way, the following denial: type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0 which comes up while testing media processes as root. We already put the shell user into this domain, so adding su to this domain ensures other processes can communicate consistently with su spawned processes. Bug: 16261280 Bug: 16298582 Change-Id: I30b6d3cc186bda737a23c25f4fa2a577c2afd4d7