From af7deffb2c6ef217d0ea95e2e1d06042bc4e8e34 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 27 May 2014 15:46:39 -0700
Subject: [PATCH] dontaudit su

Denials generated from the su domain aren't meaningful security
warnings, and just serve to confuse people. Don't log them.

Change-Id: Id38314d4e7b45062c29bed63df4e50e05e4b131e
---
 su.te | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/su.te b/su.te
index c17fd0bf4..861514825 100644
--- a/su.te
+++ b/su.te
@@ -26,4 +26,27 @@ userdebug_or_eng(`
 
   # Make su a net domain.
   net_domain(su)
+
+  dontaudit su self:capability_class_set *;
+  dontaudit su kernel:security *;
+  dontaudit su kernel:system *;
+  dontaudit su self:memprotect *;
+  dontaudit su domain:process *;
+  dontaudit su domain:fd *;
+  dontaudit su domain:dir *;
+  dontaudit su domain:lnk_file *;
+  dontaudit su domain:{ fifo_file file } *;
+  dontaudit su domain:socket_class_set *;
+  dontaudit su domain:ipc_class_set *;
+  dontaudit su domain:key *;
+  dontaudit su fs_type:filesystem *;
+  dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+  dontaudit su node_type:node *;
+  dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+  dontaudit su netif_type:netif *;
+  dontaudit su port_type:socket_class_set *;
+  dontaudit su port_type:{ tcp_socket dccp_socket } *;
+  dontaudit su domain:peer *;
+  dontaudit su domain:binder *;
+  dontaudit su property_type:property_service *;
 ')
-- 
GitLab