How to Write SE-Linux policy for android System Service?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to Write SE-Linux policy for android System Service?

7,283 Views
trongthinh
Contributor IV

I am studying Android system. I am using imx8mq-evk (android 8.1). I would like to extend android system service. So I modified android source code in folder "<android root>/frameworks/base/services/core" to add my custom service. After that, I tested by flashing android image to the board; My custom service is denied by selinux. I got this error

10-17 10:08:48.412 2674 2674 I auditd : avc: denied { add } for service=auxdisplay pid=3763 uid=1000 scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=0
10-17 10:08:48.413 2674 2674 E ServiceManager: add_service('auxdisplay',5e) uid=1000 - PERMISSION DENIED

I followed some instructions (here and here) to add selinux permission for my custom service. Below are my steps

1. In file service.te

type auxdisplayj_service, system_api_service, system_server_service, service_manager_type;

2. In file service_contexts

auxdisplay u:object_r:auxdisplayj_service:s0

3. in file system_server.te

allow system_server auxdisplayj_service:service_manager add;

4. in file private/compat/26.0/26.0.cil

(typeattributeset auxdisplayj_service_26_0 (auxdisplayj_service))

5. In file prebuild/api/26.0/nonplat_sepolicy.cil

(typeattribute auxdisplayj_service_26_0)
(roletype object_r auxdisplayj_service_26_0)
(typeattributeset service_manager_type (auxdisplayj_service_26_0))

After compiling and flashing android image to the board. I still get the same error; my service is not allowed. Is there anything wrong in my steps? All advice is welcome. Many thanks.

6 Replies

4,119 Views
xiaofenglei
Contributor II

Hi Thinh,

I exactly have same issue as yours, I added everything I can, but still see same violation report. Have you fixed this issue?

0 Kudos

4,119 Views
trongthinh
Contributor IV

Hi Xiaofeng Lei,

I cann't fix this issue. I have to set se-policy to "permissive" to continue debugging my system service.

0 Kudos

4,119 Views
xiaofenglei
Contributor II

Hi Thinh,

Fortunately, I got the answer from Google here: Google Groups . You can check if it's helpful.

4,119 Views
abhijit_thorat
Contributor III

Hi Xiaofeng Lei and Thinh,

Can you post all the changes you did to solve this issue?

I am facing same issue.

0 Kudos

4,119 Views
timgruijters
Contributor II

Hey,

You have to allow a context switch from system_server to default_android_service. The SELinux rule should be:

allow system_server default_android_service:service_manager { add };

0 Kudos

4,119 Views
trongthinh
Contributor IV

Hi Tim,

You can't do that. domain.te has this neverallow rule: neverallow * default_android_service:service_manager add; so it will prevent compiling, if you comment out that neverallow rule, you'll fail CTS.

0 Kudos