Suppress some su capability2 related denials The su domain is always permissive. Operations which occur in this domain should never be logged. Addresses the following denials: avc: denied { bpf } for comm="bpf_module_test" capability=39 scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=capability2 permissive=1 Bug: 185230825 Test: builds Change-Id: Id8bd355a9636fb5e9d26ef570c2cf7e4273b08b5

commit: 124c77140deb24d4ab770de28281067843712bf4 [log] [tgz]
author: Alistair Delva <adelva@google.com> Tue Apr 13 08:19:39 2021 -0700
committer: Alistair Delva <adelva@google.com> Tue Apr 13 08:24:14 2021 -0700
tree: 59b66ff5cdece83686c883b2e35f207f229db8cb
parent: 4ea9b0b9df74a35f80ba5241ec0943b623214eca [diff]
diff --git a/public/su.te b/public/su.te
index cefc44d..074ff2e 100644
--- a/public/su.te
+++ b/public/su.te

@@ -18,6 +18,7 @@
   vndbinder_use(su)
 
   dontaudit su self:capability_class_set *;
+  dontaudit su self:capability2 *;
   dontaudit su kernel:security *;
   dontaudit su { kernel file_type }:system *;
   dontaudit su self:memprotect *;
commit	124c77140deb24d4ab770de28281067843712bf4	[log] [tgz]
author	Alistair Delva <adelva@google.com>	Tue Apr 13 08:19:39 2021 -0700
committer	Alistair Delva <adelva@google.com>	Tue Apr 13 08:24:14 2021 -0700
tree	59b66ff5cdece83686c883b2e35f207f229db8cb
parent	4ea9b0b9df74a35f80ba5241ec0943b623214eca [diff]