su.te: drop domain_deprecated and app auditallow rules.
su is in permissive all the time. We don't want SELinux log
spam from this domain.
Addresses the following logspam:
avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/graphics/fb0/vsync_event" dev="sysfs" ino=10815 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/thermal/thermal_zone2/temp" dev="sysfs" ino=15368 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read } for comm="sh" name="emmc_therm" dev="sysfs" ino=17583 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
Change-Id: I8e17d3814e41b497b25ce00cd72698f0d22b3ab0
diff --git a/app.te b/app.te
index e2cdcc2..9a86d1c 100644
--- a/app.te
+++ b/app.te
@@ -219,8 +219,8 @@
selinux_check_context(appdomain)
# appdomain should not be accessing information on /sys
-auditallow appdomain sysfs:dir { open getattr read ioctl };
-auditallow appdomain sysfs:file r_file_perms;
+auditallow { appdomain userdebug_or_eng(`-su') } sysfs:dir { open getattr read ioctl };
+auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms;
###
### Neverallow rules
diff --git a/su.te b/su.te
index f263821..f58f7a3 100644
--- a/su.te
+++ b/su.te
@@ -5,7 +5,7 @@
# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command. The domain definition is
# wrapped to ensure that it does not exist at all on -user builds.
- type su, domain, domain_deprecated, mlstrustedsubject;
+ type su, domain, mlstrustedsubject;
domain_auto_trans(shell, su_exec, su)
# Allow dumpstate to call su on userdebug / eng builds to collect