su.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # File types must be defined for file_contexts.
 type su_exec, exec_type, file_type;

 userdebug_or_eng(`
   # Domain used for su processes, as well as for adbd and adb shell
   # after performing an adb root command.  The domain definition is
   # wrapped to ensure that it does not exist at all on -user builds.
   type su, domain;
   domain_auto_trans(shell, su_exec, su)

   # Allow dumpstate to call su on userdebug / eng builds to collect
   # additional information.
   domain_auto_trans(dumpstate, su_exec, su)

   # su is unconfined.
   unconfined_domain(su)

   allow su ashmem_device:chr_file execute;
   allow su self:process execmem;
   tmpfs_domain(su)
   allow su su_tmpfs:file execute;
   allow su debuggerd_prop:property_service set;

   # su is also permissive to permit setenforce.
   permissive su;

   # Make su a net domain.
   net_domain(su)
 ')
	# File types must be defined for file_contexts.
	type su_exec, exec_type, file_type;

	userdebug_or_eng(`
	# Domain used for su processes, as well as for adbd and adb shell
	# after performing an adb root command. The domain definition is
	# wrapped to ensure that it does not exist at all on -user builds.
	type su, domain;
	domain_auto_trans(shell, su_exec, su)

	# Allow dumpstate to call su on userdebug / eng builds to collect
	# additional information.
	domain_auto_trans(dumpstate, su_exec, su)

	# su is unconfined.
	unconfined_domain(su)

	allow su ashmem_device:chr_file execute;
	allow su self:process execmem;
	tmpfs_domain(su)
	allow su su_tmpfs:file execute;
	allow su debuggerd_prop:property_service set;

	# su is also permissive to permit setenforce.
	permissive su;

	# Make su a net domain.
	net_domain(su)
	')