From bf254b46ada68ee6ad53092cb7914ebdb43134a5 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 6 Jan 2015 12:50:19 -0800
Subject: [PATCH] su.te: suppress service_manager related denials.

The su domain is always permissive, and will always be permissive.
It never makes sense to show su related denials, as they just cause
a false sense of alarm.

Suppress service_manager related denials. For example:

  SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:su:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
  SELinux : avc:  denied  { find } for service=activity scontext=u:r:su:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager

While I'm here, suppress other recent additionsl to security_classes as
well (keystore_key, debuggerd, drmservice)

Change-Id: I844ad8da5ada09775646b5f32c9405e7b73797f9
---
 su.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/su.te b/su.te
index 687068471..c42e4a720 100644
--- a/su.te
+++ b/su.te
@@ -41,4 +41,8 @@ userdebug_or_eng(`
   dontaudit su domain:peer *;
   dontaudit su domain:binder *;
   dontaudit su property_type:property_service *;
+  dontaudit su service_manager_type:service_manager *;
+  dontaudit su keystore:keystore_key *;
+  dontaudit su domain:debuggerd *;
+  dontaudit su domain:drmservice *;
 ')
-- 
GitLab