type su, domain;
type su_exec, exec_type, file_type;
domain_auto_trans(shell, su_exec, su)
# su is unconfined.
unconfined_domain(su)
# su is also permissive to permit setenforce.
permissive su;
