Skip to content
Snippets Groups Projects
Commit 213bb45b authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Tweak rules for su domain. 

1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.

2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.

3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:

  type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0

which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.

Bug: 16261280
Bug: 16298582
Change-Id: I30b6d3cc186bda737a23c25f4fa2a577c2afd4d7
parent 8395bb4a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 2 additions and 10 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment