su.te: add filesystem dontaudit rule Addresses su denials which occur when mounting filesystems not defined by policy. Addresses denials similar to: avc: denied { mount } for pid=12361 comm="mount" name="/" dev="binfmt_misc" ino=1 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=1 Change-Id: Ifa0d7c781152f9ebdda9534ac3a04da151f8d78e

commit: 85416e06a522b12874ce0db7a90639b221f00625 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Wed Apr 15 17:58:08 2015 -0700
committer: Nick Kralevich <nnk@google.com> Thu Apr 16 08:38:46 2015 -0700
tree: 38c557f0d6b7fea469032f6dd7c4b95d298c42b9
parent: e96c3abe2e86f3ecdfdb7770629e9f73ff1e96d1 [diff] [blame]
diff --git a/su.te b/su.te
index 58c75f6..9c01fc5 100644
--- a/su.te
+++ b/su.te

@@ -49,5 +49,6 @@
   dontaudit su keystore:keystore_key *;
   dontaudit su domain:debuggerd *;
   dontaudit su domain:drmservice *;
+  dontaudit su unlabeled:filesystem *;
   service_manager_local_audit_domain(su)
 ')
commit	85416e06a522b12874ce0db7a90639b221f00625	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Wed Apr 15 17:58:08 2015 -0700
committer	Nick Kralevich <nnk@google.com>	Thu Apr 16 08:38:46 2015 -0700
tree	38c557f0d6b7fea469032f6dd7c4b95d298c42b9
parent	e96c3abe2e86f3ecdfdb7770629e9f73ff1e96d1 [diff] [blame]