Skip to content
Snippets Groups Projects
Commit caf347b5 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Tweak rules for su domain. 

1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.

2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.

3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:

  type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0

which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.

Bug: 16261280
Bug: 16298582

(cherry picked from commit 213bb45b)

Change-Id: If9c3483184ecdf871efee394c0b696e30f61d15d
parent 344fc109
No related branches found
No related tags found
Hide whitespace changes
Inline Side-by-side
Showing
with 2 additions and 10 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment