su.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # File types must be defined for file_contexts.
 type su_exec, exec_type, file_type;

 userdebug_or_eng(`
   type su, domain;
   domain_auto_trans(shell, su_exec, su)

   # Allow dumpstate to call su on userdebug / eng builds to collect
   # additional information.
   domain_auto_trans(dumpstate, su_exec, su)

   # su is unconfined.
   unconfined_domain(su)

   allow su ashmem_device:chr_file execute;
   allow su self:process execmem;
   tmpfs_domain(su)
   allow su su_tmpfs:file execute;

   # su is also permissive to permit setenforce.
   permissive su;
 ')
	# File types must be defined for file_contexts.
	type su_exec, exec_type, file_type;

	userdebug_or_eng(`
	type su, domain;
	domain_auto_trans(shell, su_exec, su)

	# Allow dumpstate to call su on userdebug / eng builds to collect
	# additional information.
	domain_auto_trans(dumpstate, su_exec, su)

	# su is unconfined.
	unconfined_domain(su)

	allow su ashmem_device:chr_file execute;
	allow su self:process execmem;
	tmpfs_domain(su)
	allow su su_tmpfs:file execute;

	# su is also permissive to permit setenforce.
	permissive su;
	')