commit af7deffb2c6ef217d0ea95e2e1d06042bc4e8e34
author Nick Kralevich <nnk@google.com> Tue May 27 15:46:39 2014 -0700
committer Nick Kralevich <nnk@google.com> Tue May 27 15:46:39 2014 -0700
tree 8fe7f3cd5e624e149b25e295508fdee4c9be045f
parent 0cefb70170fcc2bf88e0fb3737a2dd0680bdb123

dontaudit su

Denials generated from the su domain aren't meaningful security
warnings, and just serve to confuse people. Don't log them.

Change-Id: Id38314d4e7b45062c29bed63df4e50e05e4b131e

su.te

diff --git a/su.te b/su.te
index c17fd0b..8615148 100644
--- a/su.te
+++ b/su.te
@@ -26,4 +26,27 @@
 
   # Make su a net domain.
   net_domain(su)
+
+  dontaudit su self:capability_class_set *;
+  dontaudit su kernel:security *;
+  dontaudit su kernel:system *;
+  dontaudit su self:memprotect *;
+  dontaudit su domain:process *;
+  dontaudit su domain:fd *;
+  dontaudit su domain:dir *;
+  dontaudit su domain:lnk_file *;
+  dontaudit su domain:{ fifo_file file } *;
+  dontaudit su domain:socket_class_set *;
+  dontaudit su domain:ipc_class_set *;
+  dontaudit su domain:key *;
+  dontaudit su fs_type:filesystem *;
+  dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+  dontaudit su node_type:node *;
+  dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+  dontaudit su netif_type:netif *;
+  dontaudit su port_type:socket_class_set *;
+  dontaudit su port_type:{ tcp_socket dccp_socket } *;
+  dontaudit su domain:peer *;
+  dontaudit su domain:binder *;
+  dontaudit su property_type:property_service *;
 ')