sepolicy: Allow system_server to run su_exec() (1/2)

2nd part is in vendor/aicp/sepolicy Change-Id: Ia81d86abf6a9edfce0e497462f023e78e443beaf
author: LorDClockaN <lordclockan@gmail.com> 2016-06-04 21:50:05 +0200
committer: LorDClockaN <lordclockan@gmail.com> 2016-06-04 21:50:05 +0200
commit: 589fbbfddb8d8189613a725cb5cc9eed7e502fac (patch)
tree: b71f9f09653a686a0351e0205d5ee3cd6fce73a6
parent: 6d0f1474838e00c6c597882cabd2bf51d1c7b082 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/domain.te b/domain.te
index 8f600ae..02947e9 100644
--- a/domain.te
+++ b/domain.te
@@ -401,7 +401,7 @@ neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file
 # Nobody should be able to execute su on user builds.
 # On userdebug/eng builds, only dumpstate, shell, and
 # su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -init -untrusted_app -system_app -sudaemon') } su_exec:file no_x_file_perms;
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -init -untrusted_app -system_app -system_server -sudaemon') } su_exec:file no_x_file_perms;
 
 # Do not allow the introduction of new execmod rules. Text relocations
 # and modification of executable pages are unsafe.
author	LorDClockaN <lordclockan@gmail.com>	2016-06-04 21:50:05 +0200
committer	LorDClockaN <lordclockan@gmail.com>	2016-06-04 21:50:05 +0200
commit	589fbbfddb8d8189613a725cb5cc9eed7e502fac (patch)
tree	b71f9f09653a686a0351e0205d5ee3cd6fce73a6
parent	6d0f1474838e00c6c597882cabd2bf51d1c7b082 (diff)