platform_system_sepolicy/su.te

# File types must be defined for file_contexts.
type su_exec, exec_type, file_type;

userdebug_or_eng(`
  type su, domain;
  domain_auto_trans(shell, su_exec, su)

  # Allow dumpstate to call su on userdebug / eng builds to collect
  # additional information.
  domain_auto_trans(dumpstate, su_exec, su)

  # su is unconfined.
  unconfined_domain(su)

  allow su ashmem_device:chr_file execute;
  allow su self:process execmem;
  tmpfs_domain(su)
  allow su su_tmpfs:file execute;

  # su is also permissive to permit setenforce.
  permissive su;
')