- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Run shell script at boot in Android 9.0 on i.MX8M Mini Evk
Run shell script at boot in Android 9.0 on i.MX8M Mini Evk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Run shell script at boot in Android 9.0 on i.MX8M Mini Evk
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am using iMX 8 Mini EVK for my Project. I build Android 9.0 from AOSP for this board.
Now I want to run a script at boot.
I did following changes in files but still I am facing an issue.
File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/init.rc
service gea3appservice /vendor/bin/sh /vendor/bin/run.sh
class late_start
user root system
group root system
oneshot
File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/sepolicy/gea3appservice.te
# gea3app service
type gea3appservice, domain;
type gea3appservice_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(gea3appservice)
domain_auto_trans(init, vendor_shell_exec, gea3appservice)
File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/sepolicy/file_contexts
/vendor/bin/run.sh u:object_r:gea3appservice_exec:s0
When I manually run service I get following error :
[ 134.010656] type=1400 audit(1564667688.236:3740): avc: denied { dac_read_search } for pid=1 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1
Do anyone know this issue?
I tried with the approach suggested by Android developer site
Writing SELinux Policy | Android Open Source Project
But I get following error
libsepol.report_failure: neverallow on line 1002 of system/sepolicy/public/domain.te (or line 11242 of policy.conf) violated by allow gea3appservice gea3appservice_exec:file { execute entrypoint };
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got the same error in AOSP12, can plese you tell me the solution for this
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First I was trying to run a script from from vendor/bin.
Now I am trying to run from system/bin. But still facing same issue.
Following are the changes in AOSP:
File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/init.rc
(Added one service named gea3appservicefromsystem in init.rc)
class main
user root
group root
oneshot
File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/sepolicy/gea3appservicefromsystem.te
(Created new SELinux domain for service )
type gea3appservicefromsystem, coredomain, domain;
type gea3appservicefromsystem_exec, exec_type, file_type;
init_daemon_domain(gea3appservicefromsystem)
domain_auto_trans(init, shell_exec, gea3appservicefromsystem)
File : Android_AOSP_build/device/fsl/imx8m/evk_8mm/sepolicy/file_contexts
(To ensure executable properly labeled so SELinux runs the service in the proper domain)
/system/bin/run u:object_r:gea3appservicefromsystem_exec:s0
File : Android_AOSP_build/out/target/product/evk_8mm/system/bin/run
(This is the script which will run at startup)
mkdir /data/local/tmp/DirFromSystem
#Run GEA Application in background
./gea3app &
File : /home/bruvitiadmin/Android_AOSP_build/device/fsl/imx8m/evk_8mm/BoardConfig.mk
(Changed mode of SELinux from enforcing mode to permissive mode)
BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
File : Android_AOSP_build/device/fsl/imx8m/sepolicy/init.te
(Allow transition for a service to execute)
allow init gea3appservicefromsystem_exec:process {transition};
We build AOSP and flash image. We found that script runs at bootup but application failed to start.
Following are the logs:
[ 19.049710] type=1400 audit(25.088:22): avc: denied { getattr } for pid=3082 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[ 19.070570] type=1400 audit(25.088:23): avc: denied { execute } for pid=3082 comm="sh" name="toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[ 19.090694] type=1400 audit(25.088:23): avc: denied { execute } for pid=3082 comm="sh" name="toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
When we start service manually in superuser, script run but application fails to start. we get following logs :
[ 143.274084] init: Received control message 'start' for 'gea3appservicefromsystem' from pid: 4267 (start gea3appservicefromsystem)
[ 143.286215] init: starting service 'gea3appservicefromsystem'...
[ 143.293347] type=1400 audit(1565344652.192:66): avc: denied { dac_read_search } for pid=4227 comm="main" capability=2 scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=1
[ 143.310758] type=1400 audit(1565344745.140:67): avc: denied { dac_read_search } for pid=1 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1
[ 143.327813] type=1400 audit(1565344745.140:67): avc: denied { dac_read_search } for pid=1 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=1
[ 143.328017] audit: audit_lost=12 audit_rate_limit=5 audit_backlog_limit=64
[ 143.344601] type=1400 audit(1565344745.164:68): avc: denied { getattr } for pid=4268 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[ 143.351445] audit: rate limit exceeded
[ 143.373387] type=1400 audit(1565344745.164:68): avc: denied { getattr } for pid=4268 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
evk_8mm:/data/local/tmp # [ 143.387862] init: Service 'gea3appservicefromsystem' (pid 4268) exited with status 127
[ 143.398021] type=1400 audit(1565344745.164:69): avc: denied { execute } for pid=4268 comm="sh" name="toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[ 143.428640] type=1400 audit(1565344745.164:69): avc: denied { execute } for pid=4268 comm="sh" name="toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[ 143.449068] type=1400 audit(1565344745.164:70): avc: denied { read open } for pid=4269 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[ 143.470883] type=1400 audit(1565344745.164:70): avc: denied { read open } for pid=4269 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
[ 143.492470] type=1400 audit(1565344745.164:71): avc: denied { execute_no_trans } for pid=4269 comm="sh" path="/system/bin/toybox" dev="dm-0" ino=120 scontext=u:r:gea3appservicefromsystem:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
diegoadrian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Have you remounted Android to have permission to modify the system path?
You can make it through adb.
Best regards,
Diego
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No. We didn't remount Android.
But now we change the way to run script.
We refer below link:
shell - SELinux prevents my init.rc exec command to execute - Android Enthusiasts Stack Exchange
diegoadrian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Did you solve the problem? Or are you willing to disable SELinux?
Best regards,
Diego.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I solved the issue
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
I got same error. can you tell me the solution for this.
Best regards,
N.Suresh.
