su.te: drop domain_deprecated and app auditallow rules. su is in permissive all the time. We don't want SELinux log spam from this domain. Addresses the following logspam: avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/graphics/fb0/vsync_event" dev="sysfs" ino=10815 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/thermal/thermal_zone2/temp" dev="sysfs" ino=15368 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { read } for comm="sh" name="emmc_therm" dev="sysfs" ino=17583 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file Change-Id: I8e17d3814e41b497b25ce00cd72698f0d22b3ab0

commit: 0af2aa0be30f8ab32229d966d012ecfce56f1c91 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Thu Jan 07 15:59:28 2016 -0800
committer: Nick Kralevich <nnk@google.com> Thu Jan 07 15:59:28 2016 -0800
tree: df180d4cd49bfc53f0ad013a933bdfdf8155076d
parent: 1911c27ff002880962fb04429fac950381a795de [diff] [blame]
diff --git a/su.te b/su.te
index f263821..f58f7a3 100644
--- a/su.te
+++ b/su.te

@@ -5,7 +5,7 @@
   # Domain used for su processes, as well as for adbd and adb shell
   # after performing an adb root command.  The domain definition is
   # wrapped to ensure that it does not exist at all on -user builds.
-  type su, domain, domain_deprecated, mlstrustedsubject;
+  type su, domain, mlstrustedsubject;
   domain_auto_trans(shell, su_exec, su)
 
   # Allow dumpstate to call su on userdebug / eng builds to collect
commit	0af2aa0be30f8ab32229d966d012ecfce56f1c91	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Thu Jan 07 15:59:28 2016 -0800
committer	Nick Kralevich <nnk@google.com>	Thu Jan 07 15:59:28 2016 -0800
tree	df180d4cd49bfc53f0ad013a933bdfdf8155076d
parent	1911c27ff002880962fb04429fac950381a795de [diff] [blame]