Diff - bf254b46ada68ee6ad53092cb7914ebdb43134a5^! - android_system_sepolicy

commit	bf254b46ada68ee6ad53092cb7914ebdb43134a5	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Tue Jan 06 12:50:19 2015 -0800
committer	Nick Kralevich <nnk@google.com>	Tue Jan 06 13:52:41 2015 -0800
tree	190059448ffb2f3ba389d63dc66f57b39a54abde
parent	4fc3780a99c21dc2e559b4b461cf18d96ddd3dc3 [diff]

su.te: suppress service_manager related denials.

The su domain is always permissive, and will always be permissive.
It never makes sense to show su related denials, as they just cause
a false sense of alarm.

Suppress service_manager related denials. For example:

  SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:su:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
  SELinux : avc:  denied  { find } for service=activity scontext=u:r:su:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager

While I'm here, suppress other recent additionsl to security_classes as
well (keystore_key, debuggerd, drmservice)

Change-Id: I844ad8da5ada09775646b5f32c9405e7b73797f9

diff --git a/su.te b/su.te
index 6870684..c42e4a7 100644
--- a/su.te
+++ b/su.te

@@ -41,4 +41,8 @@
   dontaudit su domain:peer *;
   dontaudit su domain:binder *;
   dontaudit su property_type:property_service *;
+  dontaudit su service_manager_type:service_manager *;
+  dontaudit su keystore:keystore_key *;
+  dontaudit su domain:debuggerd *;
+  dontaudit su domain:drmservice *;
 ')