Allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng

This is do aid developers pushing debug services to not need to modify
the underlying SEPolicy

avc: denied { transition } for comm="init" path="/system/bin/awk"
dev="dm-0" ino=1934 scontext=u:r:init:s0 tcontext=u:r:su:s0
tclass=process
avc: denied { rlimitinh } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process
avc: denied { siginh } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process
avc: denied { noatsecure } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process

Test: init can execute a system_file marked with seclabel u:r:su:s0
Change-Id: I85d9528341fe08dbb2fb9a91e34a41f41aa093be
diff --git a/private/init.te b/private/init.te
index 4cf6922..02686a3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -15,7 +15,12 @@
 domain_trans(init, init_exec, ueventd)
 domain_trans(init, init_exec, vendor_init)
 domain_trans(init, { rootfs toolbox_exec }, modprobe)
-# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
 userdebug_or_eng(`
+  # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
   domain_auto_trans(init, logcat_exec, logpersist)
+
+  # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
+  allow init su:process transition;
+  dontaudit init su:process noatsecure;
+  allow init su:process { siginh rlimitinh };
 ')