From 1638208fd887e24aff1af30e4f15e4b11f6abf54 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 10 Dec 2015 13:07:27 -0800
Subject: [PATCH] su.te: dontaudit su property_type:file

The "su" domain is in globally permissive mode on userdebug/eng
builds. No SELinux denials are suppose to be generated when running
under "su".

Get rid of useless SELinux denials coming from su trying to stat
files in /dev/__properties__. For example: "ls -la /dev/__properties__"
as root.

Addresses the following denials:

  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:wc_transport_prop:s0" dev="tmpfs" ino=10597 scontext=u:r:su:s0 tcontext=u:object_r:wc_transport_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:qseecomtee_prop:s0" dev="tmpfs" ino=10596 scontext=u:r:su:s0 tcontext=u:object_r:qseecomtee_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:radio_atfwd_prop:s0" dev="tmpfs" ino=10595 scontext=u:r:su:s0 tcontext=u:object_r:radio_atfwd_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:qcom_ims_prop:s0" dev="tmpfs" ino=10594 scontext=u:r:su:s0 tcontext=u:object_r:qcom_ims_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:contexthub_prop:s0" dev="tmpfs" ino=10593 scontext=u:r:su:s0 tcontext=u:object_r:contexthub_prop:s0 tclass=file permissive=1

Change-Id: Ief051a107f48c3ba596a31d01cd90fb0f3442a69
---
 su.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/su.te b/su.te
index 38e3b0d53..f263821ab 100644
--- a/su.te
+++ b/su.te
@@ -45,6 +45,7 @@ userdebug_or_eng(`
   dontaudit su domain:peer *;
   dontaudit su domain:binder *;
   dontaudit su property_type:property_service *;
+  dontaudit su property_type:file *;
   dontaudit su service_manager_type:service_manager *;
   dontaudit su servicemanager:service_manager list;
   dontaudit su keystore:keystore_key *;
-- 
GitLab