I am studying Android system. I am using imx8mq-evk (android 8.1). I would like to extend android system service. So I modified android source code in folder "<android root>/frameworks/base/services/core" to add my custom service. After that, I tested by flashing android image to the board; My custom service is denied by selinux. I got this error
10-17 10:08:48.412 2674 2674 I auditd : avc: denied { add } for service=auxdisplay pid=3763 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0
10-17 10:08:48.413 2674 2674 E ServiceManager: add_service('auxdisplay',5e) uid=1000 - PERMISSION DENIED
I followed some instructions (here and here) to add selinux permission for my custom service. Below are my steps
1. In file service.te
type auxdisplayj_service, system_api_service, system_server_service, service_manager_type;
2. In file service_contexts
auxdisplay u:object_r:auxdisplayj_service:s0
3. in file system_server.te
allow system_server auxdisplayj_service:service_manager add;
4. in file private/compat/26.0/26.0.cil
(typeattributeset auxdisplayj_service_26_0 (auxdisplayj_service))
5. In file prebuild/api/26.0/nonplat_sepolicy.cil
(typeattribute auxdisplayj_service_26_0)
(roletype object_r auxdisplayj_service_26_0)
(typeattributeset service_manager_type (auxdisplayj_service_26_0))
After compiling and flashing android image to the board. I still get the same error; my service is not allowed. Is there anything wrong in my steps? All advice is welcome. Many thanks.
Hi Thinh,
I exactly have same issue as yours, I added everything I can, but still see same violation report. Have you fixed this issue?
Hi Xiaofeng Lei,
I cann't fix this issue. I have to set se-policy to "permissive" to continue debugging my system service.
Hi Thinh,
Fortunately, I got the answer from Google here: Google Groups . You can check if it's helpful.
Hi Xiaofeng Lei and Thinh,
Can you post all the changes you did to solve this issue?
I am facing same issue.
Hey,
You have to allow a context switch from system_server to default_android_service. The SELinux rule should be:
allow system_server default_android_service:service_manager { add };
Hi Tim,
You can't do that. domain.te has this neverallow rule: neverallow * default_android_service:service_manager add; so it will prevent compiling, if you comment out that neverallow rule, you'll fail CTS.