exclude su from app auditallow su is an appdomain, and as such, any auditallow statements applicable to appdomain also apply to su. However, su is never enforced, so generating SELinux denials for such domains is pointless. Exclude su from ion_device auditallow rules. Addresses the following auditallow spam: avc: granted { ioctl } for comm="screencap" path="/dev/ion" dev="tmpfs" ino=10230 ioctlcmd=4906 scontext=u:r:su:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file Test: policy compiles Change-Id: I2e783624b9e53ad365669bd6f2d4db40da475a16

commit: e0d5c5323dcbf0a3db90bb4b8dca603918d4449b [log] [tgz]
author: Nick Kralevich <nnk@google.com> Tue Nov 15 13:16:27 2016 -0800
committer: Nick Kralevich <nnk@google.com> Tue Nov 15 13:17:42 2016 -0800
tree: e7767b7a1d5a08d683bcde85a5870bdd5479de26
parent: 4c7044e0b1f0092d3334200d3817528600be323d [diff]
diff --git a/public/app.te b/public/app.te
index a443bbc..6cb3382 100644
--- a/public/app.te
+++ b/public/app.te

@@ -239,9 +239,9 @@
 
 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 # TODO is write really necessary ?
-auditallow appdomain ion_device:chr_file { write append };
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
 # TODO audit ion ioctl usage by apps
-auditallow appdomain ion_device:chr_file ioctl;
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file ioctl;
 
 allow { appdomain -isolated_app } hal_graphics_allocator:fd use;
commit	e0d5c5323dcbf0a3db90bb4b8dca603918d4449b	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Tue Nov 15 13:16:27 2016 -0800
committer	Nick Kralevich <nnk@google.com>	Tue Nov 15 13:17:42 2016 -0800
tree	e7767b7a1d5a08d683bcde85a5870bdd5479de26
parent	4c7044e0b1f0092d3334200d3817528600be323d [diff]