type su, domain;
permissive su;
type su_exec, file_type;
domain_auto_trans(shell, su_exec, su)

# su is unconfined.
unconfined_domain(su)